Quoting httpd 2.2 security page: http://httpd.apache.org/security/vulnerabilities_22.html#2.2.15 low: Request header information leak CVE-2010-0434 A bug in the handling of headers in subrequests could lead to a reuse of memory. In a multithreaded MPM this could possibly cause an information leak from other requests being handled by a different thread. Affects: 2.2.0 - 2.2.14 Upstream bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=48359 Upstream commits (2.2.x branch): http://svn.apache.org/viewvc?view=revision&revision=917867 http://svn.apache.org/viewvc?view=revision&revision=918427
Upstream security page was updated to list 2.0.35 - 2.0.63 as vulnerable too.
Please elevate this report to a severity of URGENT to find a solution.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0168 https://rhn.redhat.com/errata/RHSA-2010-0168.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0175 https://rhn.redhat.com/errata/RHSA-2010-0175.html
httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12
httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13
httpd-2.2.15-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11
httpd-2.2.15-1.fc12.1 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1
httpd-2.2.15-1.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1
httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: JBEWS 1.0 for RHEL 4 JBEWS 1.0 for RHEL 5 Via RHSA-2010:0396 https://rhn.redhat.com/errata/RHSA-2010-0396.html
httpd-2.2.15-1.fc12.2 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html