CVE-2010-0408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0408): The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.
CVE-2010-0434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0434): The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.
2.2.15 in cvs
To really fix the ssl renegotiation issue, 2.2.15 should depend on openssl 0.9.8m and we should stabilize it together.
(In reply to comment #3) > To really fix the ssl renegotiation issue, 2.2.15 should depend on openssl > 0.9.8m and we should stabilize it together. i've updated the dependencies in 2.2.15
Archs, please stabilize.
x86 stable
amd64/arm stable
ppc done
ppc64 done
alpha/arm/ia64/s390/sh/sparc stable
hppa stable
Guy, please don't close security bugs. GLSA vote: YES.
Yes, too, glsa request filed.
This issue was resolved and addressed in GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml by GLSA coordinator Tobias Heinlein (keytoaster).