Hi Joe,
On 02.08.2010 15:03, [email protected] wrote:
Author: jorton
Date: Mon Aug 2 13:03:04 2010
New Revision: 981498
URL: http://svn.apache.org/viewvc?rev=981498&view=rev
Log:
- add description of CVE-2010-2791
Modified:
httpd/site/trunk/docs/security/vulnerabilities-oval.xml
httpd/site/trunk/docs/security/vulnerabilities_22.html
httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL:
http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=981498&r1=981497&r2=981498&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug 2 13:03:04
2010
@@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
</criteria>
</criteria>
</definition>
+<definition id="oval:org.apache.httpd:def:20102791" version="1"
class="vulnerability">
+<metadata>
+<title>Timeout detection flaw (mod_proxy_http)</title>
+<reference source="CVE" ref_id="CVE-2010-2791"
ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
+<description>
+An information disclosure flaw was found in mod_proxy_http in version
+2.2.9 only, on Unix platforms. Under certain timeout
+conditions, the server could return a response intended for another user.
+Only those configurations which trigger the use of proxy worker pools
+are affected. There was no vulnerability on earlier versions, as
+proxy pools were not yet introduced. The simplest workaround is to
+globally configure:</description>
It seems here is missing
+<p>SetEnv proxy-nokeepalive 1</p>
or similar.
+<apache_httpd_repository>
+<public>20100723</public>
+<reported>20100723</reported>
+<released>20081031</released>
...
Regards,
Rainer
