From owner-freebsd-apache@FreeBSD.ORG Fri Jun 11 21:02:10 2010 Return-Path: Delivered-To: apache@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D9F4F1065678 for ; Fri, 11 Jun 2010 21:02:10 +0000 (UTC) (envelope-from philip@ridecharge.com) Received: from exhub015-1.exch015.msoutlookonline.net (exhub015-1.exch015.msoutlookonline.net [207.5.72.93]) by mx1.freebsd.org (Postfix) with ESMTP id C81568FC1A for ; Fri, 11 Jun 2010 21:02:10 +0000 (UTC) Received: from philip.hq.rws (174.79.184.239) by smtpx15.msoutlookonline.net (207.5.72.103) with Microsoft SMTP Server (TLS) id 8.2.234.1; Fri, 11 Jun 2010 14:02:10 -0700 Message-ID: <4C12A450.2070802@ridecharge.com> Date: Fri, 11 Jun 2010 21:02:08 +0000 From: "Philip M. Gollucci" Organization: RideCharge Inc / TaxiMagic User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.9) Gecko/20100607 Thunderbird/3.0.4 MIME-Version: 1.0 To: apache@FreeBSD.org X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Cc: Subject: Fwd: [advisory] httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jun 2010 21:02:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------- Original Message -------- Subject: [advisory] httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068 Date: Fri, 11 Jun 2010 12:48:55 -0700 From: William A. Rowe Jr. To: announce@apache.org Vulnerability; httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068 Classification; important Description; A timeout detection flaw in the httpd mod_proxy_http module causes proxied response to be sent as the response to a different request, and potentially served to a different client, from the HTTP proxy pool worker pipeline. This may represent a confidential data revealing flaw. This affects only Netware, Windows or OS2 builds of httpd version 2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha, when the proxy worker pools have been enabled. Earlier 2.2, 2.0 and 1.3 releases were not affected. Acknowledgements; We would like to thank Loren Anderson for the thorough research and reporting of this flaw. Mitigation; Apply any one of the following mitigations to avert the possibility of confidential information disclosure. * Do not load mod_proxy_http. * Do not configure/enable any http proxy worker pools with ProxySet or ProxyPass optional arguments. * The straightforward workaround to disable mod_proxy_http's reuse of backend connection pipelines is to set the following global directive; SetEnv proxy-nokeepalive 1 * Replace mod_proxy_http.so with a patched version, for source code see http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/ or http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/ and for binaries see the http://www.apache.org/dist/httpd/binaries/ tree for win32 or netware, as appropriate. * Upgrade to Apache httpd 2.2.16 or higher, once released. There is no tentative release date scheduled. Update Released; 11th June 2010 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iD8DBQFMEqRQdbiP+9ubjBwRAjLpAJ9tHjp17J/pX9LdKWPBxlnZE9YNoACbBqY+ to/PPX5rKsYUzLAVScOiwZk= =8+N2 -----END PGP SIGNATURE-----