oss-sec mailing list archives
CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only
From: Joe Orton <jorton () redhat com>
Date: Fri, 30 Jul 2010 16:15:09 +0100
Jeremy Sowden discovered an information leak in mod_proxy affecting httpd version 2.2.9 only. If a timeout occurred reading a response from a backend on a persistent connection, the backend connection was not closed. The response could subsequently be read and delivered to an unrelated client. This issue has been assigned CVE name CVE-2010-2791, and is equivalent to CVE-2010-2068 (fixed in 2.2.16) but affects httpd on Unix. The bug was fixed* in 2.2.10 but the security impact was not known at the time. I'll update http://httpd.apache.org/security/vulnerabilities_22.html to reflect this shortly. Regards, Joe * fix for 2.2.x branch: http://svn.apache.org/viewvc?rev=699841&view=rev
Current thread:
- CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only Joe Orton (Jul 30)
- Re: CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only Steven M. Christey (Aug 04)