From secunia security advisory at $URL: Description: The weakness is caused due to the mod_proxy module, when configured in reverse proxy mode, incorrectly processing certain web requests. This can be exploited to send requests to an unintended server behind the proxy via a specially crafted URL. Successful exploitation requires the use of "ProxyPassMatch" and "RewriteRule" configuration directives with a certain pattern match. The weakness is reported in all 2.x versions. Solution: Apply patch. https://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch
CVE-2011-3368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3368): The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.
Patch was added in apache-2.2.21-r1. Also I've added dependency on >=apr-1.4.5 for moderate: apr_fnmatch flaw leads to mod_autoindex remote DoS CVE-2011-0419 (bug 368651). Also a number of bugs were fixed: Use extra_{,started}commands, bug #385637 by Martin von Gagern. Check config during restart, bug #384997 wrt Christian Ruppert (idl0r). Don't use pidof to check for running instances to make it more ConTainer friendly, bug #384267 by Stef Simoens. Updated defaults in 00_default_settings.conf to better match upstream intentions, bug #387157 by Steve Dibb. Arch teams, please, stabilize: www-servers/apache-2.2.21-r1 dev-libs/apr-1.4.5 dev-libs/apr-util-1.3.12
looks ok on a server. amd64 ok
looks ok on a desktop
+ 19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> apr-1.4.5.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #385859. + 19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> apr-util-1.3.12.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #385859. + 19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> apache-2.2.21-r1.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #385859.
Stable for HPPA.
ppc/ppc64 stable
arm stable
x86 stable
alpha/ia64/s390/sh/sparc stable
Thanks all. Added glsa vote request.
Thanks, everyone. GLSA Vote: yes.
Vote: Yes. GLSA request filed.
This issue was resolved and addressed in GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml by GLSA coordinator Tobias Heinlein (keytoaster).