Bug 570171 (CVE-2010-0434) - CVE-2010-0434 httpd: request header information leak
Summary: CVE-2010-0434 httpd: request header information leak
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-0434
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 570440 570441 570442 572404 572955 572956
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-03 14:28 UTC by Tomas Hoger
Modified: 2019-09-29 12:35 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 16:03:17 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0168 0 normal SHIPPED_LIVE Moderate: httpd security and enhancement update 2010-03-25 09:11:54 UTC
Red Hat Product Errata RHSA-2010:0175 0 normal SHIPPED_LIVE Low: httpd security, bug fix, and enhancement update 2010-03-25 15:52:26 UTC
Red Hat Product Errata RHSA-2010:0396 0 normal SHIPPED_LIVE Moderate: httpd and httpd22 security and enhancement update 2010-05-05 12:54:58 UTC
Red Hat Product Errata RHSA-2010:0602 0 normal SHIPPED_LIVE Moderate: Red Hat Certificate System 7.3 security update 2010-08-05 14:04:51 UTC

Description Tomas Hoger 2010-03-03 14:28:20 UTC 
Quoting httpd 2.2 security page:
  http://httpd.apache.org/security/vulnerabilities_22.html#2.2.15

  low: Request header information leak CVE-2010-0434

  A bug in the handling of headers in subrequests could lead to a reuse of
  memory. In a multithreaded MPM this could possibly cause an information
  leak from other requests being handled by a different thread.

  Affects: 2.2.0 - 2.2.14

Upstream bug:
  https://issues.apache.org/bugzilla/show_bug.cgi?id=48359

Upstream commits (2.2.x branch):
  http://svn.apache.org/viewvc?view=revision&revision=917867
  http://svn.apache.org/viewvc?view=revision&revision=918427
Comment 3 Tomas Hoger 2010-03-10 07:53:59 UTC 
Upstream security page was updated to list 2.0.35 - 2.0.63 as vulnerable too.
Comment 5 roneads 2010-03-22 15:43:49 UTC 
Please elevate this report to a severity of URGENT to find a solution.
Comment 6 roneads 2010-03-22 15:45:28 UTC 
Please elevate this report to a severity of URGENT to find a solution.
Comment 7 errata-xmlrpc 2010-03-25 09:11:59 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0168 https://rhn.redhat.com/errata/RHSA-2010-0168.html
Comment 8 errata-xmlrpc 2010-03-25 15:52:41 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0175 https://rhn.redhat.com/errata/RHSA-2010-0175.html
Comment 9 Fedora Update System 2010-04-05 18:48:23 UTC 
httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12
Comment 10 Fedora Update System 2010-04-05 18:48:25 UTC 
httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13
Comment 11 Fedora Update System 2010-04-05 18:48:29 UTC 
httpd-2.2.15-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11
Comment 12 Fedora Update System 2010-04-05 18:49:13 UTC 
httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13
Comment 13 Fedora Update System 2010-04-05 18:49:24 UTC 
httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12
Comment 14 Fedora Update System 2010-04-07 01:34:01 UTC 
httpd-2.2.15-1.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1
Comment 15 Fedora Update System 2010-04-07 01:36:28 UTC 
httpd-2.2.15-1.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1
Comment 16 Fedora Update System 2010-04-22 22:51:22 UTC 
httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2010-05-04 06:06:28 UTC 
httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 errata-xmlrpc 2010-05-05 12:55:03 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4
  JBEWS 1.0 for RHEL 5

Via RHSA-2010:0396 https://rhn.redhat.com/errata/RHSA-2010-0396.html
Comment 19 Fedora Update System 2010-05-31 18:25:13 UTC 
httpd-2.2.15-1.fc12.2 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 errata-xmlrpc 2010-08-04 21:31:20 UTC 
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html
Note You need to log in before you can comment on or make changes to this bug.