From https://bugzilla.redhat.com/show_bug.cgi?id=871685 : When mod_proxy_ajp sends a request to a worker node and the time to process that request exceeds the configured timeout, the worker node will be marked as in the error state, stopping all traffic to the node until it is flagged as up again. A remote attacker could use this flaw to trigger a temporary denial of service attack, provided they were able to create a request that caused sufficient processing time to exceed the timeout threshold. References: http://svn.apache.org/viewvc?view=revision&revision=1227298 http://httpd.apache.org/security/vulnerabilities_22.html#2.2.22 According to upstream security page, this affected versions 2.2.12 - 2.2.21.
This was fixed in =www-servers/apache-2.2.22 and there was already a GLSA [1] advising users to update to =www-servers/apache-2.2.22-r1. Closing noglsa. [1] http://www.gentoo.org/security/en/glsa/glsa-201206-25.xml