Re: svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml
Hi Joe, On 02.08.2010 15:03, jor...@apache.org wrote: Author: jorton Date: Mon Aug 2 13:03:04 2010 New Revision: 981498 URL: http://svn.apache.org/viewvc?rev=981498view=rev Log: - add description of CVE-2010-2791 Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml httpd/site/trunk/docs/security/vulnerabilities_22.html httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=981498r1=981497r2=981498view=diff == --- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original) +++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug 2 13:03:04 2010 @@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks./ /criteria /criteria /definition +definition id=oval:org.apache.httpd:def:20102791 version=1 class=vulnerability +metadata +titleTimeout detection flaw (mod_proxy_http)/title +reference source=CVE ref_id=CVE-2010-2791 ref_url=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791/ +description +An information disclosure flaw was found in mod_proxy_http in version +2.2.9 only, on Unix platforms. Under certain timeout +conditions, the server could return a response intended for another user. +Only those configurations which trigger the use of proxy worker pools +are affected. There was no vulnerability on earlier versions, as +proxy pools were not yet introduced. The simplest workaround is to +globally configure:/description It seems here is missing +pSetEnv proxy-nokeepalive 1/p or similar. +apache_httpd_repository +public20100723/public +reported20100723/reported +released20081031/released ... Regards, Rainer
Re: svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml
On Mon, Aug 02, 2010 at 03:33:45PM +0200, Rainer Jung wrote: --- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original) +++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug 2 13:03:04 2010 @@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks./ /criteria /criteria /definition +definition id=oval:org.apache.httpd:def:20102791 version=1 class=vulnerability +metadata +titleTimeout detection flaw (mod_proxy_http)/title +reference source=CVE ref_id=CVE-2010-2791 ref_url=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791/ +description +An information disclosure flaw was found in mod_proxy_http in version +2.2.9 only, on Unix platforms. Under certain timeout +conditions, the server could return a response intended for another user. +Only those configurations which trigger the use of proxy worker pools +are affected. There was no vulnerability on earlier versions, as +proxy pools were not yet introduced. The simplest workaround is to +globally configure:/description It seems here is missing +pSetEnv proxy-nokeepalive 1/p or similar. That's the OVAL. The XSLT is using value-of rather than apply-templates so only picks up the first p within the description. In fact the mitigation text there is not a description of the issue so would be better removed or marked up separately, and could probably be omitted from the OVAL either way. Regards, Joe
Re: svn commit: r981498 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml
On 02.08.2010 15:47, Joe Orton wrote: On Mon, Aug 02, 2010 at 03:33:45PM +0200, Rainer Jung wrote: --- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original) +++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Mon Aug 2 13:03:04 2010 @@ -714,6 +714,31 @@ to cross-site scripting (XSS) attacks./ /criteria /criteria /definition +definition id=oval:org.apache.httpd:def:20102791 version=1 class=vulnerability +metadata +titleTimeout detection flaw (mod_proxy_http)/title +reference source=CVE ref_id=CVE-2010-2791 ref_url=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791/ +description +An information disclosure flaw was found in mod_proxy_http in version +2.2.9 only, on Unix platforms. Under certain timeout +conditions, the server could return a response intended for another user. +Only those configurations which trigger the use of proxy worker pools +are affected. There was no vulnerability on earlier versions, as +proxy pools were not yet introduced. The simplest workaround is to +globally configure:/description It seems here is missing +pSetEnv proxy-nokeepalive 1/p or similar. That's the OVAL. The XSLT is using value-of rather than apply-templates so only picks up the firstp within thedescription. In fact the mitigation text there is not a description of the issue so would be better removed or marked up separately, and could probably be omitted from the OVAL either way. Thanks for the explanation and sorry for the noise. Rainer