Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 268154 (CVE-2009-1191) - <www-servers/apache-2.2.11-r1 mod_proxy_ajp Information Disclosure (CVE-2009-1191)
Summary: <www-servers/apache-2.2.11-r1 mod_proxy_ajp Information Disclosure (CVE-2009-...
Status: RESOLVED FIXED
Alias: CVE-2009-1191
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.apache.org/dist/httpd/patc...
Whiteboard: B4 [glsa]
Keywords:
Depends on: 276589
Blocks:
  Show dependency tree
 
Reported: 2009-05-01 19:27 UTC by Alex Legler (RETIRED)
Modified: 2009-07-12 15:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Temporary patch from upstream (PR46949.diff,1.59 KB, patch)
2009-05-01 19:29 UTC, Alex Legler (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-01 19:27:04 UTC
CVE-2009-1191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1191):
  mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server
  2.2.11 allows remote attackers to obtain sensitive response data,
  intended for a client that sent an earlier POST request with no
  request body, via an HTTP request.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-01 19:29:16 UTC
Created attachment 190062 [details, diff]
Temporary patch from upstream

Upstream released a preliminary patch for this issue.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2009-07-05 16:13:23 UTC
patch added to 2.2.11-r1, stabilization should probably be done in a new bug, since multiple issues have been fixed with 2.2.11-r1
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-05 16:34:02 UTC
Thanks, stabilization handled in 276589.
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-12 15:23:36 UTC
GLSA 200907-04, thanks everyone.