Информационная безопасность
[RU] switch to English


Дополнительная информация

  Утечка информации через mod_proxy_http в Apache

  [advisory] httpd Timeout detection flaw (mod_proxy_http)
CVE-2010-2068

From:MANDRIVA
Date:19 августа 2010 г.
Subject:[ MDVSA-2010:153 ] apache

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory                         MDVSA-2010:153
http://www.mandriva.com/security/
_______________________________________________________________________

Package : apache
Date    : August 16, 2010
Affected: 2009.0, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in apache:

The mod_cache and mod_dav modules in the Apache HTTP Server 2.2.x
before 2.2.16 allow remote attackers to cause a denial of service
(process crash) via a request that lacks a path (CVE-2010-1452).

mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix,
does not close the backend connection if a timeout occurs when reading
a response from a persistent connection, which allows remote attackers
to obtain a potentially sensitive response intended for a different
client in opportunistic circumstances via a normal HTTP request.
NOTE: this is the same issue as CVE-2010-2068, but for a different
OS and set of affected versions (CVE-2010-2791).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791
http://httpd.apache.org/security/vulnerabilities_22.html
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2009.0:
238de136ebd4ef12d69c2bc8a3e3d3be  2009.0/i586/apache-base-2.2.9-12.10mdv2009.0.i586.rpm
141124279c0755c0299d59587f0eafeb  2009.0/i586/apache-devel-2.2.9-12.10mdv2009.0.i586.rpm
05cf83c379680e3ed51340b42d084b54  2009.0/i586/apache-htcacheclean-2.2.9-12.10mdv2009.0.i586.rpm
9e1f554bb3705dedaddba825f1b56403  2009.0/i586/apache-mod_authn_dbd-2.2.9-12.10mdv2009.0.i586.rpm
9a3655c03604fcd04b4d1e0e34dedffc  2009.0/i586/apache-mod_cache-2.2.9-12.10mdv2009.0.i586.rpm
0a92ae5396ef3bc58481964474fbbb19  2009.0/i586/apache-mod_dav-2.2.9-12.10mdv2009.0.i586.rpm
63df221d5cf990cd347466419a8b0377  2009.0/i586/apache-mod_dbd-2.2.9-12.10mdv2009.0.i586.rpm
1b2dbf225749350a9bb7dcdf20b92227  2009.0/i586/apache-mod_deflate-2.2.9-12.10mdv2009.0.i586.rpm
5ecc8f17635dd7e7428292628daeda79  2009.0/i586/apache-mod_disk_cache-2.2.9-12.10mdv2009.0.i586.rpm
8fab3607fe02e1564939f8c20f0d207b  2009.0/i586/apache-mod_file_cache-2.2.9-12.10mdv2009.0.i586.rpm
88cd61a082b42899bda94777ab7e62aa  2009.0/i586/apache-mod_ldap-2.2.9-12.10mdv2009.0.i586.rpm
1ff181c8481cda668fcb129052ab094c  2009.0/i586/apache-mod_mem_cache-2.2.9-12.10mdv2009.0.i586.rpm
6eedc6c5d7727f408882a07d0408bbdd  2009.0/i586/apache-mod_proxy-2.2.9-12.10mdv2009.0.i586.rpm
ba21753018cb8fb4aa4750e8fe77e022  2009.0/i586/apache-mod_proxy_ajp-2.2.9-12.10mdv2009.0.i586.rpm
2a90910cff8efc4dd4c61db469548bf5  2009.0/i586/apache-mod_ssl-2.2.9-12.10mdv2009.0.i586.rpm
35e3bca53a5880a07b24ad72f6dd6d07  2009.0/i586/apache-modules-2.2.9-12.10mdv2009.0.i586.rpm
62e5846e1811ba312d6bb8f049493788  2009.0/i586/apache-mod_userdir-2.2.9-12.10mdv2009.0.i586.rpm
0f15da6722a641d7d5e5b911e8c0cece  2009.0/i586/apache-mpm-event-2.2.9-12.10mdv2009.0.i586.rpm
9b9f2d505afcc686c7d7fd1fb80615f7  2009.0/i586/apache-mpm-itk-2.2.9-12.10mdv2009.0.i586.rpm
d839ec4ccd71e89115f9f62cd6ceee36  2009.0/i586/apache-mpm-peruser-2.2.9-12.10mdv2009.0.i586.rpm
e4ae2a88b622053fe3b319343fadaf1e  2009.0/i586/apache-mpm-prefork-2.2.9-12.10mdv2009.0.i586.rpm
797172063095f4f48199e0f5c6df34df  2009.0/i586/apache-mpm-worker-2.2.9-12.10mdv2009.0.i586.rpm
56a686181dec3713a922e2beb1b74515  2009.0/i586/apache-source-2.2.9-12.10mdv2009.0.i586.rpm
ffc80b53691b9200454d986e66728aa2  2009.0/SRPMS/apache-2.2.9-12.10mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
c578a6e9a29e81df145a388e8696e8f0  2009.0/x86_64/apache-base-2.2.9-12.10mdv2009.0.x86_64.rpm
168df22318ae9ea5be0f265b9aaa486a  2009.0/x86_64/apache-devel-2.2.9-12.10mdv2009.0.x86_64.rpm
3fd73c32becdc0c7ea67283c3a056e52  2009.0/x86_64/apache-htcacheclean-2.2.9-12.10mdv2009.0.x86_64.rpm
875d0e01dd140f65da24a14eb57ae484  2009.0/x86_64/apache-mod_authn_dbd-2.2.9-12.10mdv2009.0.x86_64.rpm
3247dcd354558d0fe035feda4416c8a0  2009.0/x86_64/apache-mod_cache-2.2.9-12.10mdv2009.0.x86_64.rpm
101c210907cd0e5d289081d80f83892e  2009.0/x86_64/apache-mod_dav-2.2.9-12.10mdv2009.0.x86_64.rpm
10b7a5d979b99bcbf38fdbe0e036a1cf  2009.0/x86_64/apache-mod_dbd-2.2.9-12.10mdv2009.0.x86_64.rpm
82c0a9a58e60d6018447052ad22b4507  2009.0/x86_64/apache-mod_deflate-2.2.9-12.10mdv2009.0.x86_64.rpm
fae88ae076de0bc2528f6b01f96c0608  2009.0/x86_64/apache-mod_disk_cache-2.2.9-12.10mdv2009.0.x86_64.rpm
a506f22a169f2de5a2705eeb6742fc69  2009.0/x86_64/apache-mod_file_cache-2.2.9-12.10mdv2009.0.x86_64.rpm
069155f234c22f55c30d20bda33dd40a  2009.0/x86_64/apache-mod_ldap-2.2.9-12.10mdv2009.0.x86_64.rpm
c4a56e07aabaac67a5fb491b72cbdd5e  2009.0/x86_64/apache-mod_mem_cache-2.2.9-12.10mdv2009.0.x86_64.rpm
842ce796a5ce358267588e62dc6c1d84  2009.0/x86_64/apache-mod_proxy-2.2.9-12.10mdv2009.0.x86_64.rpm
de2dfcf5017e07456237ebaebb94b63a  2009.0/x86_64/apache-mod_proxy_ajp-2.2.9-12.10mdv2009.0.x86_64.rpm
e7424124fd455d338fe7807085a465f8  2009.0/x86_64/apache-mod_ssl-2.2.9-12.10mdv2009.0.x86_64.rpm
cc51ff1bc2bb86fa375c64a83cbe5669  2009.0/x86_64/apache-modules-2.2.9-12.10mdv2009.0.x86_64.rpm
bd9169da6ee818841c99f893d97758ab  2009.0/x86_64/apache-mod_userdir-2.2.9-12.10mdv2009.0.x86_64.rpm
d786b5b3e993f6b762984939a59188ac  2009.0/x86_64/apache-mpm-event-2.2.9-12.10mdv2009.0.x86_64.rpm
3663a04f5b3bece171140300beca60a6  2009.0/x86_64/apache-mpm-itk-2.2.9-12.10mdv2009.0.x86_64.rpm
1893fd3799e3914f79b4e99435f7f28d  2009.0/x86_64/apache-mpm-peruser-2.2.9-12.10mdv2009.0.x86_64.rpm
08cf47881f23b2f6423c7c0243369468  2009.0/x86_64/apache-mpm-prefork-2.2.9-12.10mdv2009.0.x86_64.rpm
b79fc5815401552c1ee4dd411ea60e9e  2009.0/x86_64/apache-mpm-worker-2.2.9-12.10mdv2009.0.x86_64.rpm
d03ac2690298a61b630ec151fef1110b  2009.0/x86_64/apache-source-2.2.9-12.10mdv2009.0.x86_64.rpm
ffc80b53691b9200454d986e66728aa2  2009.0/SRPMS/apache-2.2.9-12.10mdv2009.0.src.rpm

Mandriva Enterprise Server 5:
cae43472379d49f78134e2058709677a  mes5/i586/apache-base-2.2.9-12.10mdvmes5.1.i586.rpm
a71d55063dc1c638e2dfeed6379405e7  mes5/i586/apache-devel-2.2.9-12.10mdvmes5.1.i586.rpm
96c5a3f3408f16608e4aa0eae921eadc  mes5/i586/apache-htcacheclean-2.2.9-12.10mdvmes5.1.i586.rpm
d91c5806b0647c7de4a7ae5a7acb5901  mes5/i586/apache-mod_authn_dbd-2.2.9-12.10mdvmes5.1.i586.rpm
51709df2ae1d1bbbb80161d17823ed54  mes5/i586/apache-mod_cache-2.2.9-12.10mdvmes5.1.i586.rpm
76d66f1632147a1db2a66ec8449676a7  mes5/i586/apache-mod_dav-2.2.9-12.10mdvmes5.1.i586.rpm
c8fc9d26366cf23cb4e02e0ba7c40ab1  mes5/i586/apache-mod_dbd-2.2.9-12.10mdvmes5.1.i586.rpm
f407cb9d289d4df8f395b7469221af83  mes5/i586/apache-mod_deflate-2.2.9-12.10mdvmes5.1.i586.rpm
870246ffc86e5453bebc0adeff740f23  mes5/i586/apache-mod_disk_cache-2.2.9-12.10mdvmes5.1.i586.rpm
c373b7252a58575f8b100cc9a77897d6  mes5/i586/apache-mod_file_cache-2.2.9-12.10mdvmes5.1.i586.rpm
72b7c2d21a4aa038d384bb15f1171acd  mes5/i586/apache-mod_ldap-2.2.9-12.10mdvmes5.1.i586.rpm
7c4d510bdaa58bb13b4281283462d4e8  mes5/i586/apache-mod_mem_cache-2.2.9-12.10mdvmes5.1.i586.rpm
e88f86183f1edab93caf98a98496237d  mes5/i586/apache-mod_proxy-2.2.9-12.10mdvmes5.1.i586.rpm
5c6f9547a6ff4faad90cf8f4fa6ad841  mes5/i586/apache-mod_proxy_ajp-2.2.9-12.10mdvmes5.1.i586.rpm
ebb11a941f84db7fbc28ce274f9e8ba6  mes5/i586/apache-mod_ssl-2.2.9-12.10mdvmes5.1.i586.rpm
9854699e46d9dfdfcabc5cd034c00b96  mes5/i586/apache-modules-2.2.9-12.10mdvmes5.1.i586.rpm
51323be198089431321036224db67d03  mes5/i586/apache-mod_userdir-2.2.9-12.10mdvmes5.1.i586.rpm
c046c955c1c506c03197d392df79c748  mes5/i586/apache-mpm-event-2.2.9-12.10mdvmes5.1.i586.rpm
704649a20a5017f880eb36f2759fa835  mes5/i586/apache-mpm-itk-2.2.9-12.10mdvmes5.1.i586.rpm
91003a47a1b7a5be432db522d40c00f8  mes5/i586/apache-mpm-peruser-2.2.9-12.10mdvmes5.1.i586.rpm
adb996091556269761169421570ca809  mes5/i586/apache-mpm-prefork-2.2.9-12.10mdvmes5.1.i586.rpm
28d84353ee16bb7945fcfcf8cafd8c66  mes5/i586/apache-mpm-worker-2.2.9-12.10mdvmes5.1.i586.rpm
f4ebb8202d84b91e93c79f65188ca23e  mes5/i586/apache-source-2.2.9-12.10mdvmes5.1.i586.rpm
da98e1bb9ad5504b54849dc44dd0c405  mes5/SRPMS/apache-2.2.9-12.10mdvmes5.1.src.rpm

Mandriva Enterprise Server 5/X86_64:
94082a462cbbedc8c26aab5b6573bf82  mes5/x86_64/apache-base-2.2.9-12.10mdvmes5.1.x86_64.rpm
315b539457792bc6e30b59564d6c1aa5  mes5/x86_64/apache-devel-2.2.9-12.10mdvmes5.1.x86_64.rpm
defdf4efb19dfbd2efe8f799957dba00  mes5/x86_64/apache-htcacheclean-2.2.9-12.10mdvmes5.1.x86_64.rpm
46b8507c6df22032fb25df9f1057d473  mes5/x86_64/apache-mod_authn_dbd-2.2.9-12.10mdvmes5.1.x86_64.rpm
08732297da7d96414a6e66d0b5fe4f72  mes5/x86_64/apache-mod_cache-2.2.9-12.10mdvmes5.1.x86_64.rpm
6d059d9fc62ec59c93afb20fe2b1e134  mes5/x86_64/apache-mod_dav-2.2.9-12.10mdvmes5.1.x86_64.rpm
7a6a0e7b8086db5bfde394f0bbff7299  mes5/x86_64/apache-mod_dbd-2.2.9-12.10mdvmes5.1.x86_64.rpm
8977f6e2b5b6bb21f456752a215019b0  mes5/x86_64/apache-mod_deflate-2.2.9-12.10mdvmes5.1.x86_64.rpm
a642f9d74eed23992905d4ca26570b1a  mes5/x86_64/apache-mod_disk_cache-2.2.9-12.10mdvmes5.1.x86_64.rpm
6c583416f58264f0e6be8a8dfd426715  mes5/x86_64/apache-mod_file_cache-2.2.9-12.10mdvmes5.1.x86_64.rpm
40092f4dd75fdb25506c136c6ae1cd87  mes5/x86_64/apache-mod_ldap-2.2.9-12.10mdvmes5.1.x86_64.rpm
c4323601dc144cb51e024cf178dfe414  mes5/x86_64/apache-mod_mem_cache-2.2.9-12.10mdvmes5.1.x86_64.rpm
584fff4d5eb4b4c55da1d298468fab68  mes5/x86_64/apache-mod_proxy-2.2.9-12.10mdvmes5.1.x86_64.rpm
cd69b1c53233a546f26ac1a06a56b76f  mes5/x86_64/apache-mod_proxy_ajp-2.2.9-12.10mdvmes5.1.x86_64.rpm
68d9fcdd47f4767dfb4e58f210c31d97  mes5/x86_64/apache-mod_ssl-2.2.9-12.10mdvmes5.1.x86_64.rpm
86c8a0a66627ad73123a7a8f19442c08  mes5/x86_64/apache-modules-2.2.9-12.10mdvmes5.1.x86_64.rpm
de0d632919fc6edfd091f3b1871c0ca9  mes5/x86_64/apache-mod_userdir-2.2.9-12.10mdvmes5.1.x86_64.rpm
0e4d84870327be57163579b66c3ac104  mes5/x86_64/apache-mpm-event-2.2.9-12.10mdvmes5.1.x86_64.rpm
0959bfed96992d16c58f9ee22c04af07  mes5/x86_64/apache-mpm-itk-2.2.9-12.10mdvmes5.1.x86_64.rpm
43eb9f6c352bbbe049628bbd41756b9b  mes5/x86_64/apache-mpm-peruser-2.2.9-12.10mdvmes5.1.x86_64.rpm
919a363ca56831f04f2e622cc1a192f3  mes5/x86_64/apache-mpm-prefork-2.2.9-12.10mdvmes5.1.x86_64.rpm
ec1d3e1ae8c2bc3e547fd8f095fcfe23  mes5/x86_64/apache-mpm-worker-2.2.9-12.10mdvmes5.1.x86_64.rpm
7637fb712b7b08cffda967a66c3c47aa  mes5/x86_64/apache-source-2.2.9-12.10mdvmes5.1.x86_64.rpm
da98e1bb9ad5504b54849dc44dd0c405  mes5/SRPMS/apache-2.2.9-12.10mdvmes5.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi.  The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security.  You can obtain the
GPG public key of the Mandriva Security Team by executing:

 gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

 http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

 security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Mandriva Security Team
 <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMaTSHmqjQ0CJFipgRAtoCAJ9BGN6CAncvlMzNDaRADUpkjPp7uACg7Mpx
rElFxWU84znmOrOERj6iHh8=
=oTXe
-----END PGP SIGNATURE-----

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород