Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 440758 (CVE-2012-4557) - <www-servers/apache-2.2.22: mod_proxy_ajp worker moved to error state when timeout exceeded (CVE-2012-4557)
Summary: <www-servers/apache-2.2.22: mod_proxy_ajp worker moved to error state when ti...
Status: RESOLVED FIXED
Alias: CVE-2012-4557
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://httpd.apache.org/security/vuln...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-01 15:43 UTC by Agostino Sarubbo
Modified: 2012-11-10 20:33 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-01 15:43:43 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=871685 :

When mod_proxy_ajp sends a request to a worker node and the time to process that request exceeds 
the configured timeout, the worker node will be marked as in the error state, stopping all traffic 
to the node until it is flagged as up again. A remote attacker could use this flaw to trigger a 
temporary denial of service attack, provided they were able to create a request that caused 
sufficient processing time to exceed the timeout threshold.

References:

http://svn.apache.org/viewvc?view=revision&revision=1227298
http://httpd.apache.org/security/vulnerabilities_22.html#2.2.22

According to upstream security page, this affected versions 2.2.12 - 2.2.21.
Comment 1 Sean Amoss gentoo-dev Security 2012-11-10 20:33:34 UTC
This was fixed in =www-servers/apache-2.2.22 and there was already a GLSA [1] advising users to update to =www-servers/apache-2.2.22-r1. 

Closing noglsa. 

[1] http://www.gentoo.org/security/en/glsa/glsa-201206-25.xml