Bugzilla – Bug 627387
VUL-0: CVE-2010-2791: apache2: mod_proxy information leak affecting 2.2.9 only
Last modified: 2015-10-30 10:40:24 UTC
Hi. There is a security bug in package 'apache2'. This information is from 'oss-security'. This bug is public. There is no coordinated release date (CRD) set. CVE number: CVE-2010-2068 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2068 CVE number: CVE-2010-2791 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791 Original posting: ---------- Weitergeleitete Nachricht ---------- Betreff: [oss-security] CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only Datum: Freitag 30 Juli 2010, 17:15:09 Von: Joe Orton <jorton@redhat.com> An: dev@httpd.apache.org Kopie: jeremy@azazel.net, oss-security@lists.openwall.com Jeremy Sowden discovered an information leak in mod_proxy affecting httpd version 2.2.9 only. If a timeout occurred reading a response from a backend on a persistent connection, the backend connection was not closed. The response could subsequently be read and delivered to an unrelated client. This issue has been assigned CVE name CVE-2010-2791, and is equivalent to CVE-2010-2068 (fixed in 2.2.16) but affects httpd on Unix. The bug was fixed* in 2.2.10 but the security impact was not known at the time. I'll update http://httpd.apache.org/security/vulnerabilities_22.html to reflect this shortly. Regards, Joe * fix for 2.2.x branch: http://svn.apache.org/viewvc?rev=699841&view=rev -------------------------------------------------------------
perl bin/addnote CVE-2010-2068 "This security issue does not affect Apache on Linux."
The SWAMPID for this issue is 34899. This issue was rated as low. Please submit fixed packages until 2010-09-01. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
e: [oss-security] CVE-2010-2791: mod_proxy information leak affecting 2.2.9 only Von: "Steven M. Christey" <coley@linus.mitre.org> An: oss-security@lists.openwall.com Kopie: dev@httpd.apache.org, jeremy@azazel.net A subtle comment here. Arguably, this is the same core bug and could have been merged into CVE-2010-2068, even though the versions are different. Effectively, you've got multiple independent "streams" of 2.2.x Apache - which vary by operating system - and there's no overlap between which "stream" is affected by CVE-2010-2791 versus the ones that are affected by CVE-2010-2068. And there are no regression errors. This general abstraction difficulty applies to most software that runs on multiple platforms, where each platform has slightly different up-to-date versions, or delays in fixes for some platforms versus others. (You could extend the logic to how each distro maintains its own versions of common software...) However, this is a fairly arcane point that demonstrates the difficulty of keeping CVE consistent with only a couple simple rules (split-by-vulntype and split-by-version), instead of getting mired in lots of exceptions. As a practical matter, this is a fairly important distinction, and if we were to MERGE into CVE-2010-2068 and update the description, that might not be enough of a "signal" to sysadmins that they have to re-evaluate their security posture. So I'm reluctantly OK with leaving CVE-2010-2791 separate - but I don't want to set this up as a formal precedent for these kinds of abstraction choices for later disclosures. - Steve
CVE-2010-2791: CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2010-2791: Information Leak / Disclosure (CWE-200)
mass change P5->P3
Verified this patch on oes1sp2 environment. oes services welcomepage, iMgr, iFolder, Netstorage, QF, NRM functionality verified. Working fine. Patch is go from oes QA. =================== Patch Details Below:- =================== rug patch-info patch-12639 Name: patch-12639 Version: 12639 Installed: yes Summary: Security update for Apache 2 Description: Applies to Package: apache2,apache2-devel,apache2-doc,apache2-example-pages,apache2-leader,apache2-metuxmpm,apache2-perchild,apache2-prefork,apache2-worker,libapr0 Release: 20100819 Obsoletes: =================== Platform:- SLE version:-cat /etc/SuSE-release SUSE LINUX Enterprise Server 9 (i586) VERSION = 9 PATCHLEVEL = 4 ========================
OES2SP2:- Patch slesp3-apache2-7127-0 has Passed oes QA. Verified this patch on oes2sp2/sles10sp3 environment. oes services welcomepage, iMgr, iFolder, Netstorage, QF, NRM functionality verified. Working fine. =================== Patch Details Below:- =================== # rug patch-info slesp3-apache2-7127-0 Name: slesp3-apache2 Version: 7127-0 Arch: noarch Status: Satisfied Category: security Created On: 08/19/2010 06:42:39 Reboot Required: No Restart Required: No Interactive: No Summary: Description: Provides: patch: slesp3-apache2 = 7127-0 Requires: atom: apache2 = 2.2.3-16.30.1 atom: apache2-devel = 2.2.3-16.30.1 atom: apache2-doc = 2.2.3-16.30.1 atom: apache2-example-pages = 2.2.3-16.30.1 atom: apache2-prefork = 2.2.3-16.30.1 atom: apache2-worker = 2.2.3-16.30.1 ======================================
since this is 2.2.9 only and we don't ship 2.2.9 anywhere are not affected.