Bug 242606 (CVE-2007-1862)

Summary: CVE-2007-1862 httpd's mod_mem_cache sensitive information disclosure
Product: [Other] Security Response Reporter: Lubomir Kundrak <lkundrak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jorton
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://issues.apache.org/bugzilla/show_bug.cgi?id=41551
Whiteboard:
Fixed In Version: 2.2.4-4.1.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-16 17:16:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 244660, 245127    
Bug Blocks:    

Description Lubomir Kundrak 2007-06-05 01:02:39 UTC 
Description of problem:

mod_mem_cache module in Apache httpd-2.2.4 could return headers from cache
pool objects that were already cleaned up and used for other purposes
possibly disclosing sensitive information.

The change that caused this flaw was introduced in revision 484642 [1] and
reverted in revision 543515 [2].

[1] http://svn.apache.org/viewvc?view=rev&revision=484642
[2] http://svn.apache.org/viewvc?view=rev&revision=543515

Version-Release number of selected component (if applicable):

httpd-2.2.4 and thus:

        CVE-2007-1862 Doesn't Affect: FC5
        CVE-2007-1862 Affects: FC6
        CVE-2007-1862 Affects: FC7

How reproducible:

Race-condition
Comment 1 Fedora Update System 2007-06-27 03:52:44 UTC 
httpd-2.2.4-4.1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Tomas Hoger 2008-01-16 17:16:30 UTC 
This issue was specific to httpd version 2.2.4 and did not affect the versions
of httpd as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5 and Red Hat
Application Stack v1.

Version of httpd as shipped with Red Hat Application Stack v2 was fixed prior to
its first release.