Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 268154 (CVE-2009-1191) - <www-servers/apache-2.2.11-r1 mod_proxy_ajp Information Disclosure (CVE-2009-1191)
Summary: <www-servers/apache-2.2.11-r1 mod_proxy_ajp Information Disclosure (CVE-2009-...
Status: RESOLVED FIXED
Alias: CVE-2009-1191
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.apache.org/dist/httpd/patc...
Whiteboard: B4 [glsa]
Keywords:
Depends on: 276589
Blocks:
  Show dependency tree
 
Reported: 2009-05-01 19:27 UTC by Alex Legler (RETIRED)
Modified: 2009-07-12 15:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Temporary patch from upstream (PR46949.diff,1.59 KB, patch)
2009-05-01 19:29 UTC, Alex Legler (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-01 19:27:04 UTC 
CVE-2009-1191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1191):
  mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server
  2.2.11 allows remote attackers to obtain sensitive response data,
  intended for a client that sent an earlier POST request with no
  request body, via an HTTP request.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-01 19:29:16 UTC 
Created attachment 190062 [details, diff]
Temporary patch from upstream

Upstream released a preliminary patch for this issue.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2009-07-05 16:13:23 UTC 
patch added to 2.2.11-r1, stabilization should probably be done in a new bug, since multiple issues have been fixed with 2.2.11-r1
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-05 16:34:02 UTC 
Thanks, stabilization handled in 276589.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-12 15:23:36 UTC 
GLSA 200907-04, thanks everyone.