Bugzilla – Bug 627387
VUL-0: CVE-2010-2791: apache2: mod_proxy information leak affecting 2.2.9 only
Last modified: 2015-10-30 10:40:24 UTC
There is a security bug in package 'apache2'.
This information is from 'oss-security'.
This bug is public.
There is no coordinated release date (CRD) set.
CVE number: CVE-2010-2068
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2068
CVE number: CVE-2010-2791
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791
---------- Weitergeleitete Nachricht ----------
Betreff: [oss-security] CVE-2010-2791: mod_proxy information leak affecting
Datum: Freitag 30 Juli 2010, 17:15:09
Von: Joe Orton <firstname.lastname@example.org>
Kopie: email@example.com, firstname.lastname@example.org
Jeremy Sowden discovered an information leak in mod_proxy affecting
httpd version 2.2.9 only. If a timeout occurred reading a response from
a backend on a persistent connection, the backend connection was not
closed. The response could subsequently be read and delivered to an
This issue has been assigned CVE name CVE-2010-2791, and is equivalent
to CVE-2010-2068 (fixed in 2.2.16) but affects httpd on Unix. The bug
was fixed* in 2.2.10 but the security impact was not known at the time.
I'll update http://httpd.apache.org/security/vulnerabilities_22.html to
reflect this shortly.
* fix for 2.2.x branch: http://svn.apache.org/viewvc?rev=699841&view=rev
perl bin/addnote CVE-2010-2068 "This security issue does not affect Apache on Linux."
The SWAMPID for this issue is 34899.
This issue was rated as low.
Please submit fixed packages until 2010-09-01.
When done, please reassign the bug to email@example.com.
Patchinfo will be handled by security team.
e: [oss-security] CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only
Von: "Steven M. Christey" <firstname.lastname@example.org>
Kopie: email@example.com, firstname.lastname@example.org
A subtle comment here. Arguably, this is the same core bug and could have
been merged into CVE-2010-2068, even though the versions are different.
Effectively, you've got multiple independent "streams" of 2.2.x Apache -
which vary by operating system - and there's no overlap between which
"stream" is affected by CVE-2010-2791 versus the ones that are affected by
CVE-2010-2068. And there are no regression errors. This general
abstraction difficulty applies to most software that runs on multiple
platforms, where each platform has slightly different up-to-date versions,
or delays in fixes for some platforms versus others. (You could extend
the logic to how each distro maintains its own versions of common
However, this is a fairly arcane point that demonstrates the difficulty of
keeping CVE consistent with only a couple simple rules (split-by-vulntype
and split-by-version), instead of getting mired in lots of exceptions.
As a practical matter, this is a fairly important distinction, and if we
were to MERGE into CVE-2010-2068 and update the description, that might
not be enough of a "signal" to sysadmins that they have to re-evaluate
their security posture. So I'm reluctantly OK with leaving CVE-2010-2791
separate - but I don't want to set this up as a formal precedent for these
kinds of abstraction choices for later disclosures.
CVE-2010-2791: CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2010-2791: Information Leak / Disclosure (CWE-200)
mass change P5->P3
Verified this patch on oes1sp2 environment.
oes services welcomepage, iMgr, iFolder, Netstorage, QF, NRM functionality verified. Working fine.
Patch is go from oes QA.
Patch Details Below:-
rug patch-info patch-12639
Summary: Security update for Apache 2
Platform:- SLE version:-cat /etc/SuSE-release
SUSE LINUX Enterprise Server 9 (i586)
VERSION = 9
PATCHLEVEL = 4
Patch slesp3-apache2-7127-0 has Passed oes QA.
Verified this patch on oes2sp2/sles10sp3 environment.
oes services welcomepage, iMgr, iFolder, Netstorage, QF, NRM functionality
verified. Working fine.
Patch Details Below:-
# rug patch-info slesp3-apache2-7127-0
Created On: 08/19/2010 06:42:39
Reboot Required: No
Restart Required: No
patch: slesp3-apache2 = 7127-0
atom: apache2 = 2.2.3-16.30.1
atom: apache2-devel = 2.2.3-16.30.1
atom: apache2-doc = 2.2.3-16.30.1
atom: apache2-example-pages = 2.2.3-16.30.1
atom: apache2-prefork = 2.2.3-16.30.1
atom: apache2-worker = 2.2.3-16.30.1
since this is 2.2.9 only and we don't ship 2.2.9 anywhere are not affected.