Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308049 (CVE-2010-0408) - <www-servers/apache-2.2.15 multiple vulnerabilites (CVE-2010-{0408,0434})
Summary: <www-servers/apache-2.2.15 multiple vulnerabilites (CVE-2010-{0408,0434})
Status: RESOLVED FIXED
Alias: CVE-2010-0408
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://svn.apache.org/viewvc/httpd/ht...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-06 15:38 UTC by Stefan Behte (RETIRED)
Modified: 2012-06-24 14:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:38:49 UTC
CVE-2010-0408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0408):
  The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp
  in the Apache HTTP Server 2.2.x before 2.2.15 does not properly
  handle certain situations in which a client sends no request body,
  which allows remote attackers to cause a denial of service (backend
  server outage) via a crafted request, related to use of a 500 error
  code instead of the appropriate 400 error code.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:47:23 UTC
CVE-2010-0434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0434):
  The ap_read_request function in server/protocol.c in the Apache HTTP
  Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does
  not properly handle headers in subrequests in certain circumstances
  involving a parent request that has a body, which might allow remote
  attackers to obtain sensitive information via a crafted request that
  triggers access to memory locations associated with an earlier
  request.

Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2010-03-07 11:48:57 UTC
2.2.15 in cvs
Comment 3 Hanno Böck gentoo-dev 2010-03-07 16:14:24 UTC
To really fix the ssl renegotiation issue, 2.2.15 should depend on openssl 0.9.8m and we should stabilize it together.
Comment 4 Benedikt Böhm (RETIRED) gentoo-dev 2010-03-07 16:20:22 UTC
(In reply to comment #3)
> To really fix the ssl renegotiation issue, 2.2.15 should depend on openssl
> 0.9.8m and we should stabilize it together.

i've updated the dependencies in 2.2.15
Comment 5 Hanno Böck gentoo-dev 2010-03-27 18:23:37 UTC
Archs, please stabilize.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-29 14:04:43 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2010-03-29 21:52:06 UTC
amd64/arm stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2010-03-31 14:49:21 UTC
ppc done
Comment 9 Brent Baude (RETIRED) gentoo-dev 2010-03-31 14:51:23 UTC
ppc64 done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2010-03-31 18:44:02 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 11 Guy Martin (RETIRED) gentoo-dev 2010-04-04 09:43:23 UTC
hppa stable
Comment 12 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-04-04 10:01:59 UTC
Guy, please don't close security bugs.

GLSA vote: YES.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2010-07-14 18:12:28 UTC
Yes, too, glsa request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:28:42 UTC
This issue was resolved and addressed in
 GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml
by GLSA coordinator Tobias Heinlein (keytoaster).