On 02.08.2010 15:47, Joe Orton wrote:
On Mon, Aug 02, 2010 at 03:33:45PM +0200, Rainer Jung wrote:
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug 2 13:03:04
2010
@@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks.</
</criteria>
</criteria>
</definition>
+<definition id="oval:org.apache.httpd:def:20102791" version="1"
class="vulnerability">
+<metadata>
+<title>Timeout detection flaw (mod_proxy_http)</title>
+<reference source="CVE" ref_id="CVE-2010-2791"
ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791"/>
+<description>
+An information disclosure flaw was found in mod_proxy_http in version
+2.2.9 only, on Unix platforms. Under certain timeout
+conditions, the server could return a response intended for another user.
+Only those configurations which trigger the use of proxy worker pools
+are affected. There was no vulnerability on earlier versions, as
+proxy pools were not yet introduced. The simplest workaround is to
+globally configure:</description>
It seems here is missing
+<p>SetEnv proxy-nokeepalive 1</p>
or similar.
That's the OVAL. The XSLT is using value-of rather than apply-templates
so only picks up the first<p> within the<description>. In fact the
mitigation text there is not a description of the issue so would be
better removed or marked up separately, and could probably be omitted
from the OVAL either way.
Thanks for the explanation and sorry for the noise.
Rainer
