On Mon, Aug 02, 2010 at 03:33:45PM +0200, Rainer Jung wrote: > >--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original) > >+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug 2 > >13:03:04 2010 > >@@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</ > > </criteria> > > </criteria> > > </definition> > >+<definition id="oval:org.apache.httpd:def:20102791" version="1" > >class="vulnerability"> > >+<metadata> > >+<title>Timeout detection flaw (mod_proxy_http)</title> > >+<reference source="CVE" ref_id="CVE-2010-2791" > >ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/> > >+<description> > >+An information disclosure flaw was found in mod_proxy_http in version > >+2.2.9 only, on Unix platforms. Under certain timeout > >+conditions, the server could return a response intended for another user. > >+Only those configurations which trigger the use of proxy worker pools > >+are affected. There was no vulnerability on earlier versions, as > >+proxy pools were not yet introduced. The simplest workaround is to > >+globally configure:</description> > > It seems here is missing > > +<p>SetEnv proxy-nokeepalive 1</p> > > or similar.
That's the OVAL. The XSLT is using value-of rather than apply-templates so only picks up the first <p> within the <description>. In fact the mitigation text there is not a description of the issue so would be better removed or marked up separately, and could probably be omitted from the OVAL either way. Regards, Joe
