oss-sec mailing list archives
Re: CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only
From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 4 Aug 2010 17:23:58 -0400 (EDT)
A subtle comment here. Arguably, this is the same core bug and could have been merged into CVE-2010-2068, even though the versions are different. Effectively, you've got multiple independent "streams" of 2.2.x Apache - which vary by operating system - and there's no overlap between which "stream" is affected by CVE-2010-2791 versus the ones that are affected by CVE-2010-2068. And there are no regression errors. This general abstraction difficulty applies to most software that runs on multiple platforms, where each platform has slightly different up-to-date versions, or delays in fixes for some platforms versus others. (You could extend the logic to how each distro maintains its own versions of common software...)
However, this is a fairly arcane point that demonstrates the difficulty of keeping CVE consistent with only a couple simple rules (split-by-vulntype and split-by-version), instead of getting mired in lots of exceptions.
As a practical matter, this is a fairly important distinction, and if we were to MERGE into CVE-2010-2068 and update the description, that might not be enough of a "signal" to sysadmins that they have to re-evaluate their security posture. So I'm reluctantly OK with leaving CVE-2010-2791 separate - but I don't want to set this up as a formal precedent for these kinds of abstraction choices for later disclosures.
- Steve On Fri, 30 Jul 2010, Joe Orton wrote:
Jeremy Sowden discovered an information leak in mod_proxy affecting httpd version 2.2.9 only. If a timeout occurred reading a response from a backend on a persistent connection, the backend connection was not closed. The response could subsequently be read and delivered to an unrelated client. This issue has been assigned CVE name CVE-2010-2791, and is equivalent to CVE-2010-2068 (fixed in 2.2.16) but affects httpd on Unix. The bug was fixed* in 2.2.10 but the security impact was not known at the time. I'll update http://httpd.apache.org/security/vulnerabilities_22.html to reflect this shortly. Regards, Joe * fix for 2.2.x branch: http://svn.apache.org/viewvc?rev=699841&view=rev
Current thread:
- CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only Joe Orton (Jul 30)
- Re: CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only Steven M. Christey (Aug 04)