It was reported [1] that mod_proxy in apache 1.3.x is vulnerable to a buffer overflow on the heap via an integer overflow vulnerability. In the ap_proxy_send_fb() function (in src/modules/proxy/proxy_util.c), the server will convert received data to a long type, and if there is a positive chunk size, will convert the long to an int type, resulting in an integer overflow on 64bit platforms. [1] http://marc.info/?l=full-disclosure&m=126461496425954&w=2
This shouldn't affect Apache 2. The code in question isn't there, and the reproducer does nothing, Apache 2 appears to gracefully handle the large body.
I'm marking the severity of this flaw to low. It only affects rhn satellite and proxy. The mod_proxy bits are not used, so a user would have to enable them, which is unsupported and very unwise. We can disable building that module next time we release an update.
MITRE's CVE-2010-0010 entry: Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow. -- Upstream patch: http://svn.apache.org/viewvc?view=revision&revision=896842
This issue did not affect the versions of the httpd package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. For complete list of vulnerable Apache httpd server versions proceed to upstream security dedicated page: http://httpd.apache.org/security/vulnerabilities_13.html
*** Bug 561358 has been marked as a duplicate of this bug. ***