Fwd: [advisory] httpd Timeout detection flaw (mod_proxy_http)
Philip M. Gollucci
pgollucci at ridecharge.com
Fri Jun 11 21:02:10 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
- -------- Original Message --------
Subject: [advisory] httpd Timeout detection flaw (mod_proxy_http)
Date: Fri, 11 Jun 2010 12:48:55 -0700
From: William A. Rowe Jr. <wrowe at apache.org>
To: announce at apache.org <announce at apache.org>
Vulnerability; httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068
A timeout detection flaw in the httpd mod_proxy_http module causes
proxied response to be sent as the response to a different request,
and potentially served to a different client, from the HTTP proxy
pool worker pipeline.
This may represent a confidential data revealing flaw.
This affects only Netware, Windows or OS2 builds of httpd version
2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha, when the proxy
worker pools have been enabled. Earlier 2.2, 2.0 and 1.3 releases
were not affected.
We would like to thank Loren Anderson for the thorough research
and reporting of this flaw.
Apply any one of the following mitigations to avert the possibility
of confidential information disclosure.
* Do not load mod_proxy_http.
* Do not configure/enable any http proxy worker pools with ProxySet
or ProxyPass optional arguments.
* The straightforward workaround to disable mod_proxy_http's reuse
of backend connection pipelines is to set the following global
SetEnv proxy-nokeepalive 1
* Replace mod_proxy_http.so with a patched version, for source code
see http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/ or
http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/ and for
binaries see the http://www.apache.org/dist/httpd/binaries/ tree
for win32 or netware, as appropriate.
* Upgrade to Apache httpd 2.2.16 or higher, once released. There
is no tentative release date scheduled.
Update Released; 11th June 2010
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
-----END PGP SIGNATURE-----
More information about the freebsd-apache