Bug 570171 (CVE-2010-0434)

Summary: CVE-2010-0434 httpd: request header information leak
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jorton, luke-redhat, pcheung, ronald.eads
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,source=upstream,reported=20100303,public=20091209,cvss2=2.6/AV:N/AC:H/Au:N/C:P/I:N/A:N
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 16:03:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 570440, 570441, 570442, 572404, 572955, 572956    
Bug Blocks:    

Description Tomas Hoger 2010-03-03 14:28:20 UTC
Quoting httpd 2.2 security page:
  http://httpd.apache.org/security/vulnerabilities_22.html#2.2.15

  low: Request header information leak CVE-2010-0434

  A bug in the handling of headers in subrequests could lead to a reuse of
  memory. In a multithreaded MPM this could possibly cause an information
  leak from other requests being handled by a different thread.

  Affects: 2.2.0 - 2.2.14

Upstream bug:
  https://issues.apache.org/bugzilla/show_bug.cgi?id=48359

Upstream commits (2.2.x branch):
  http://svn.apache.org/viewvc?view=revision&revision=917867
  http://svn.apache.org/viewvc?view=revision&revision=918427

Comment 3 Tomas Hoger 2010-03-10 07:53:59 UTC
Upstream security page was updated to list 2.0.35 - 2.0.63 as vulnerable too.

Comment 5 roneads 2010-03-22 15:43:49 UTC
Please elevate this report to a severity of URGENT to find a solution.

Comment 6 roneads 2010-03-22 15:45:28 UTC
Please elevate this report to a severity of URGENT to find a solution.

Comment 7 errata-xmlrpc 2010-03-25 09:11:59 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0168 https://rhn.redhat.com/errata/RHSA-2010-0168.html

Comment 8 errata-xmlrpc 2010-03-25 15:52:41 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0175 https://rhn.redhat.com/errata/RHSA-2010-0175.html

Comment 9 Fedora Update System 2010-04-05 18:48:23 UTC
httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12

Comment 10 Fedora Update System 2010-04-05 18:48:25 UTC
httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13

Comment 11 Fedora Update System 2010-04-05 18:48:29 UTC
httpd-2.2.15-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11

Comment 12 Fedora Update System 2010-04-05 18:49:13 UTC
httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13

Comment 13 Fedora Update System 2010-04-05 18:49:24 UTC
httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12

Comment 14 Fedora Update System 2010-04-07 01:34:01 UTC
httpd-2.2.15-1.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1

Comment 15 Fedora Update System 2010-04-07 01:36:28 UTC
httpd-2.2.15-1.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1

Comment 16 Fedora Update System 2010-04-22 22:51:22 UTC
httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2010-05-04 06:06:28 UTC
httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 errata-xmlrpc 2010-05-05 12:55:03 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4
  JBEWS 1.0 for RHEL 5

Via RHSA-2010:0396 https://rhn.redhat.com/errata/RHSA-2010-0396.html

Comment 19 Fedora Update System 2010-05-31 18:25:13 UTC
httpd-2.2.15-1.fc12.2 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 errata-xmlrpc 2010-08-04 21:31:20 UTC
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html