Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 440758 (CVE-2012-4557)

Summary: <www-servers/apache-2.2.22: mod_proxy_ajp worker moved to error state when timeout exceeded (CVE-2012-4557)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: apache-bugs, mail, patrick, pva
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://httpd.apache.org/security/vulnerabilities_22.html#2.2.22
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-11-01 15:43:43 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=871685 :

When mod_proxy_ajp sends a request to a worker node and the time to process that request exceeds 
the configured timeout, the worker node will be marked as in the error state, stopping all traffic 
to the node until it is flagged as up again. A remote attacker could use this flaw to trigger a 
temporary denial of service attack, provided they were able to create a request that caused 
sufficient processing time to exceed the timeout threshold.

References:

http://svn.apache.org/viewvc?view=revision&revision=1227298
http://httpd.apache.org/security/vulnerabilities_22.html#2.2.22

According to upstream security page, this affected versions 2.2.12 - 2.2.21.
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-10 20:33:34 UTC 
This was fixed in =www-servers/apache-2.2.22 and there was already a GLSA [1] advising users to update to =www-servers/apache-2.2.22-r1. 

Closing noglsa. 

[1] http://www.gentoo.org/security/en/glsa/glsa-201206-25.xml