Summary: | <www-servers/apache-2.2.16: multiple vulnerabilites DoS (CVE-2010-{1452,2791}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Marcin Mirosław <bug> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | alex, apache-bugs, himbeere, mr.jarry |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://httpd.apache.org/security/vulnerabilities_22.html | ||
Whiteboard: | C3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Marcin Mirosław
2010-07-28 12:28:23 UTC
From $URL: A flaw was found in the handling of requests by mod_cache and mod_dav. A malicious remote attacker could send a carefully crafted request and cause a httpd child process to crash. This crash would only be a denial of service if using the worker MPM. This issue is further mitigated as mod_dav is only affected by requests that are most likely to be authenticated, and mod_cache is only affected if the uncommon "CacheIgnoreURLSessionIdentifiers" directive, introduced in version 2.2.14, is used. The CVE-2010-2068 issue only affects Windows. Rating C3 as the configuration needed for exploitation is quite specific. CVE-2010-1452 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1452): The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path. Looks like it's time for a bump to stable. apache herd: please provide an updated ebuild. My apache keeps crashing, targeted by some sort of dos-attack. I suspect it might be because of this vulnerability. Could we get please the new apache-version into portage? At least masked. It is more than month a new version has been released by Apache Software Foundation, and since this bug has been published. Probably exploits start running in the wild! I definitelly do not consider this as "minor severity"... 2.2.16 in cvs Arches, please test and mark stable: =www-servers/apache-2.2.16 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" amd64 done @Hollow: It's ok to call arches yourself so that there is no delay with stabilization. Stable for PPC. x86 stable CVE-2010-2791 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2791): mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions. alpha/arm/ia64/s390/sh/sparc stable *** Bug 336030 has been marked as a duplicate of this bug. *** ppc64 done stable on hppa GLSA Vote: Yes, unauthenticated DoS in (what I think is) a common module. GLSA together with #308049. This issue was resolved and addressed in GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml by GLSA coordinator Tobias Heinlein (keytoaster). |