Bug 627387 - (CVE-2010-2791) VUL-0: CVE-2010-2791: apache2: mod_proxy information leak affecting 2.2.9 only
VUL-0: CVE-2010-2791: apache2: mod_proxy information leak affecting 2.2.9 only
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
Other Other
: P3 - Medium : Major
: ---
Assigned To: Roman Drahtmueller
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2010-08-02 09:00 UTC by Thomas Biege
Modified: 2015-10-30 10:40 UTC (History)
1 user (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2010-08-02 09:00:43 UTC
There is a security bug in package 'apache2'.

This information is from 'oss-security'.

This bug is public.

There is no coordinated release date (CRD) set.

CVE number: CVE-2010-2068
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2068
CVE number: CVE-2010-2791
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791

Original posting:

----------  Weitergeleitete Nachricht  ----------

Betreff: [oss-security] CVE-2010-2791: mod_proxy information leak affecting 
2.2.9 only
Datum: Freitag 30 Juli 2010, 17:15:09
Von: Joe Orton <jorton@redhat.com>
An:  dev@httpd.apache.org
Kopie:  jeremy@azazel.net, oss-security@lists.openwall.com

Jeremy Sowden discovered an information leak in mod_proxy affecting 
httpd version 2.2.9 only.  If a timeout occurred reading a response from 
a backend on a persistent connection, the backend connection was not 
closed.  The response could subsequently be read and delivered to an 
unrelated client.

This issue has been assigned CVE name CVE-2010-2791, and is equivalent 
to CVE-2010-2068 (fixed in 2.2.16) but affects httpd on Unix.  The bug 
was fixed* in 2.2.10 but the security impact was not known at the time.

I'll update http://httpd.apache.org/security/vulnerabilities_22.html to 
reflect this shortly.

Regards, Joe

* fix for 2.2.x branch: http://svn.apache.org/viewvc?rev=699841&view=rev

Comment 1 Marcus Meissner 2010-08-03 09:40:07 UTC
perl bin/addnote CVE-2010-2068 "This security issue does not affect Apache on Linux."
Comment 2 Swamp Workflow Management 2010-08-04 07:31:49 UTC
The SWAMPID for this issue is 34899.
This issue was rated as low.
Please submit fixed packages until 2010-09-01.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 3 Thomas Biege 2010-08-05 07:05:25 UTC
e: [oss-security] CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only
 Von: "Steven M. Christey" <coley@linus.mitre.org>
 An: oss-security@lists.openwall.com
 Kopie: dev@httpd.apache.org, jeremy@azazel.net
A subtle comment here.  Arguably, this is the same core bug and could have 
been merged into CVE-2010-2068, even though the versions are different. 
Effectively, you've got multiple independent "streams" of 2.2.x Apache - 
which vary by operating system - and there's no overlap between which 
"stream" is affected by CVE-2010-2791 versus the ones that are affected by 
CVE-2010-2068.  And there are no regression errors.  This general 
abstraction difficulty applies to most software that runs on multiple 
platforms, where each platform has slightly different up-to-date versions, 
or delays in fixes for some platforms versus others.  (You could extend 
the logic to how each distro maintains its own versions of common 

However, this is a fairly arcane point that demonstrates the difficulty of 
keeping CVE consistent with only a couple simple rules (split-by-vulntype 
and split-by-version), instead of getting mired in lots of exceptions.

As a practical matter, this is a fairly important distinction, and if we 
were to MERGE into CVE-2010-2068 and update the description, that might 
not be enough of a "signal" to sysadmins that they have to re-evaluate 
their security posture.  So I'm reluctantly OK with leaving CVE-2010-2791 
separate - but I don't want to set this up as a formal precedent for these 
kinds of abstraction choices for later disclosures.

- Steve
Comment 4 Thomas Biege 2010-08-06 16:00:36 UTC
CVE-2010-2791: CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2010-2791: Information Leak / Disclosure (CWE-200)
Comment 5 Thomas Biege 2010-08-09 07:55:03 UTC
mass change P5->P3
Comment 6 Harshal Bansod 2010-08-20 12:36:50 UTC
Verified this patch on oes1sp2 environment.
oes services welcomepage, iMgr, iFolder, Netstorage, QF, NRM functionality verified.  Working fine.
Patch is go from oes QA.
Patch Details Below:-
rug patch-info patch-12639

Name: patch-12639
Version: 12639
Installed: yes
Summary: Security update for Apache 2

   Applies to

   Package: apache2,apache2-devel,apache2-doc,apache2-example-pages,apache2-leader,apache2-metuxmpm,apache2-perchild,apache2-prefork,apache2-worker,libapr0
   Release: 20100819

Platform:- SLE version:-cat /etc/SuSE-release
SUSE LINUX Enterprise Server 9 (i586)
Comment 7 Harshal Bansod 2010-08-25 11:48:23 UTC
Patch slesp3-apache2-7127-0 has Passed oes QA.

Verified this patch on oes2sp2/sles10sp3 environment.
oes services welcomepage, iMgr, iFolder, Netstorage, QF, NRM functionality
verified.  Working fine.

Patch Details Below:-
 # rug patch-info slesp3-apache2-7127-0
Name: slesp3-apache2
Version: 7127-0
Arch: noarch
Status: Satisfied
Category: security
Created On: 08/19/2010 06:42:39
Reboot Required: No
Restart Required: No
Interactive: No
patch: slesp3-apache2 = 7127-0

atom: apache2 = 2.2.3-16.30.1
atom: apache2-devel = 2.2.3-16.30.1
atom: apache2-doc = 2.2.3-16.30.1
atom: apache2-example-pages = 2.2.3-16.30.1
atom: apache2-prefork = 2.2.3-16.30.1
atom: apache2-worker = 2.2.3-16.30.1

Comment 8 Ludwig Nussel 2010-09-15 11:32:01 UTC
since this is 2.2.9 only and we don't ship 2.2.9 anywhere are not affected.