Bug 627387 (CVE-2010-2791)

Summary: VUL-0: CVE-2010-2791: apache2: mod_proxy information leak affecting 2.2.9 only
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: GeneralAssignee: Roman Drahtmueller <draht>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:running:34899:moderate
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2010-08-02 09:00:43 UTC 
Hi.
There is a security bug in package 'apache2'.

This information is from 'oss-security'.

This bug is public.

There is no coordinated release date (CRD) set.

CVE number: CVE-2010-2068
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2068
CVE number: CVE-2010-2791
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791

Original posting:



----------  Weitergeleitete Nachricht  ----------

Betreff: [oss-security] CVE-2010-2791: mod_proxy information leak affecting 
2.2.9 only
Datum: Freitag 30 Juli 2010, 17:15:09
Von: Joe Orton <jorton@redhat.com>
An:  dev@httpd.apache.org
Kopie:  jeremy@azazel.net, oss-security@lists.openwall.com

Jeremy Sowden discovered an information leak in mod_proxy affecting 
httpd version 2.2.9 only.  If a timeout occurred reading a response from 
a backend on a persistent connection, the backend connection was not 
closed.  The response could subsequently be read and delivered to an 
unrelated client.

This issue has been assigned CVE name CVE-2010-2791, and is equivalent 
to CVE-2010-2068 (fixed in 2.2.16) but affects httpd on Unix.  The bug 
was fixed* in 2.2.10 but the security impact was not known at the time.

I'll update http://httpd.apache.org/security/vulnerabilities_22.html to 
reflect this shortly.

Regards, Joe

* fix for 2.2.x branch: http://svn.apache.org/viewvc?rev=699841&view=rev

-------------------------------------------------------------
Comment 1 Marcus Meissner 2010-08-03 09:40:07 UTC 
perl bin/addnote CVE-2010-2068 "This security issue does not affect Apache on Linux."
Comment 2 Swamp Workflow Management 2010-08-04 07:31:49 UTC 
The SWAMPID for this issue is 34899.
This issue was rated as low.
Please submit fixed packages until 2010-09-01.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 3 Thomas Biege 2010-08-05 07:05:25 UTC 
e: [oss-security] CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only
 Von: "Steven M. Christey" <coley@linus.mitre.org>
 An: oss-security@lists.openwall.com
 Kopie: dev@httpd.apache.org, jeremy@azazel.net
 
A subtle comment here.  Arguably, this is the same core bug and could have 
been merged into CVE-2010-2068, even though the versions are different. 
Effectively, you've got multiple independent "streams" of 2.2.x Apache - 
which vary by operating system - and there's no overlap between which 
"stream" is affected by CVE-2010-2791 versus the ones that are affected by 
CVE-2010-2068.  And there are no regression errors.  This general 
abstraction difficulty applies to most software that runs on multiple 
platforms, where each platform has slightly different up-to-date versions, 
or delays in fixes for some platforms versus others.  (You could extend 
the logic to how each distro maintains its own versions of common 
software...)

However, this is a fairly arcane point that demonstrates the difficulty of 
keeping CVE consistent with only a couple simple rules (split-by-vulntype 
and split-by-version), instead of getting mired in lots of exceptions.

As a practical matter, this is a fairly important distinction, and if we 
were to MERGE into CVE-2010-2068 and update the description, that might 
not be enough of a "signal" to sysadmins that they have to re-evaluate 
their security posture.  So I'm reluctantly OK with leaving CVE-2010-2791 
separate - but I don't want to set this up as a formal precedent for these 
kinds of abstraction choices for later disclosures.

- Steve
Comment 4 Thomas Biege 2010-08-06 16:00:36 UTC 
CVE-2010-2791: CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2010-2791: Information Leak / Disclosure (CWE-200)
Comment 5 Thomas Biege 2010-08-09 07:55:03 UTC 
mass change P5->P3
Comment 6 Harshal Bansod 2010-08-20 12:36:50 UTC 
Verified this patch on oes1sp2 environment.
oes services welcomepage, iMgr, iFolder, Netstorage, QF, NRM functionality verified.  Working fine.
Patch is go from oes QA.
===================
Patch Details Below:-
===================
rug patch-info patch-12639

Name: patch-12639
Version: 12639
Installed: yes
Summary: Security update for Apache 2
Description:

   Applies to

   Package: apache2,apache2-devel,apache2-doc,apache2-example-pages,apache2-leader,apache2-metuxmpm,apache2-perchild,apache2-prefork,apache2-worker,libapr0
   Release: 20100819
   Obsoletes:

===================
Platform:- SLE version:-cat /etc/SuSE-release
SUSE LINUX Enterprise Server 9 (i586)
VERSION = 9
PATCHLEVEL = 4
========================
Comment 7 Harshal Bansod 2010-08-25 11:48:23 UTC 
OES2SP2:-
Patch slesp3-apache2-7127-0 has Passed oes QA.

Verified this patch on oes2sp2/sles10sp3 environment.
oes services welcomepage, iMgr, iFolder, Netstorage, QF, NRM functionality
verified.  Working fine.


===================
Patch Details Below:-
===================
 # rug patch-info slesp3-apache2-7127-0
Name: slesp3-apache2
Version: 7127-0
Arch: noarch
Status: Satisfied
Category: security
Created On: 08/19/2010 06:42:39
Reboot Required: No
Restart Required: No
Interactive: No
Summary:
Description:
Provides:
patch: slesp3-apache2 = 7127-0

Requires:
atom: apache2 = 2.2.3-16.30.1
atom: apache2-devel = 2.2.3-16.30.1
atom: apache2-doc = 2.2.3-16.30.1
atom: apache2-example-pages = 2.2.3-16.30.1
atom: apache2-prefork = 2.2.3-16.30.1
atom: apache2-worker = 2.2.3-16.30.1

======================================
Comment 8 Ludwig Nussel 2010-09-15 11:32:01 UTC 
since this is 2.2.9 only and we don't ship 2.2.9 anywhere are not affected.