Bug 570171 (CVE-2010-0434) - CVE-2010-0434 httpd: request header information leak
Summary: CVE-2010-0434 httpd: request header information leak
Status: CLOSED ERRATA
Alias: CVE-2010-0434
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,source=upstream,reported=2...
Keywords: Security
Depends On: 570440 570441 570442 572404 572955 572956
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-03 14:28 UTC by Tomas Hoger
Modified: 2019-06-08 12:56 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-08-22 16:03:17 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0168 normal SHIPPED_LIVE Moderate: httpd security and enhancement update 2010-03-25 09:11:54 UTC
Red Hat Product Errata RHSA-2010:0175 normal SHIPPED_LIVE Low: httpd security, bug fix, and enhancement update 2010-03-25 15:52:26 UTC
Red Hat Product Errata RHSA-2010:0396 normal SHIPPED_LIVE Moderate: httpd and httpd22 security and enhancement update 2010-05-05 12:54:58 UTC
Red Hat Product Errata RHSA-2010:0602 normal SHIPPED_LIVE Moderate: Red Hat Certificate System 7.3 security update 2010-08-05 14:04:51 UTC

Description Tomas Hoger 2010-03-03 14:28:20 UTC
Quoting httpd 2.2 security page:
  http://httpd.apache.org/security/vulnerabilities_22.html#2.2.15

  low: Request header information leak CVE-2010-0434

  A bug in the handling of headers in subrequests could lead to a reuse of
  memory. In a multithreaded MPM this could possibly cause an information
  leak from other requests being handled by a different thread.

  Affects: 2.2.0 - 2.2.14

Upstream bug:
  https://issues.apache.org/bugzilla/show_bug.cgi?id=48359

Upstream commits (2.2.x branch):
  http://svn.apache.org/viewvc?view=revision&revision=917867
  http://svn.apache.org/viewvc?view=revision&revision=918427

Comment 3 Tomas Hoger 2010-03-10 07:53:59 UTC
Upstream security page was updated to list 2.0.35 - 2.0.63 as vulnerable too.

Comment 5 roneads 2010-03-22 15:43:49 UTC
Please elevate this report to a severity of URGENT to find a solution.

Comment 6 roneads 2010-03-22 15:45:28 UTC
Please elevate this report to a severity of URGENT to find a solution.

Comment 7 errata-xmlrpc 2010-03-25 09:11:59 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0168 https://rhn.redhat.com/errata/RHSA-2010-0168.html

Comment 8 errata-xmlrpc 2010-03-25 15:52:41 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0175 https://rhn.redhat.com/errata/RHSA-2010-0175.html

Comment 9 Fedora Update System 2010-04-05 18:48:23 UTC
httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12

Comment 10 Fedora Update System 2010-04-05 18:48:25 UTC
httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13

Comment 11 Fedora Update System 2010-04-05 18:48:29 UTC
httpd-2.2.15-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11

Comment 12 Fedora Update System 2010-04-05 18:49:13 UTC
httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13

Comment 13 Fedora Update System 2010-04-05 18:49:24 UTC
httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12

Comment 14 Fedora Update System 2010-04-07 01:34:01 UTC
httpd-2.2.15-1.fc12.1 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1

Comment 15 Fedora Update System 2010-04-07 01:36:28 UTC
httpd-2.2.15-1.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1

Comment 16 Fedora Update System 2010-04-22 22:51:22 UTC
httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2010-05-04 06:06:28 UTC
httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 errata-xmlrpc 2010-05-05 12:55:03 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4
  JBEWS 1.0 for RHEL 5

Via RHSA-2010:0396 https://rhn.redhat.com/errata/RHSA-2010-0396.html

Comment 19 Fedora Update System 2010-05-31 18:25:13 UTC
httpd-2.2.15-1.fc12.2 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 errata-xmlrpc 2010-08-04 21:31:20 UTC
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html


Note You need to log in before you can comment on or make changes to this bug.