Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.64.1008041716240.19654@faron.mitre.org>
Date: Wed, 4 Aug 2010 17:23:58 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: dev@...pd.apache.org, jeremy@...zel.net
Subject: Re: CVE-2010-2791: mod_proxy information leak affecting
 2.2.9 only


A subtle comment here.  Arguably, this is the same core bug and could have 
been merged into CVE-2010-2068, even though the versions are different. 
Effectively, you've got multiple independent "streams" of 2.2.x Apache - 
which vary by operating system - and there's no overlap between which 
"stream" is affected by CVE-2010-2791 versus the ones that are affected by 
CVE-2010-2068.  And there are no regression errors.  This general 
abstraction difficulty applies to most software that runs on multiple 
platforms, where each platform has slightly different up-to-date versions, 
or delays in fixes for some platforms versus others.  (You could extend 
the logic to how each distro maintains its own versions of common 
software...)

However, this is a fairly arcane point that demonstrates the difficulty of 
keeping CVE consistent with only a couple simple rules (split-by-vulntype 
and split-by-version), instead of getting mired in lots of exceptions.

As a practical matter, this is a fairly important distinction, and if we 
were to MERGE into CVE-2010-2068 and update the description, that might 
not be enough of a "signal" to sysadmins that they have to re-evaluate 
their security posture.  So I'm reluctantly OK with leaving CVE-2010-2791 
separate - but I don't want to set this up as a formal precedent for these 
kinds of abstraction choices for later disclosures.

- Steve


On Fri, 30 Jul 2010, Joe Orton wrote:

> Jeremy Sowden discovered an information leak in mod_proxy affecting
> httpd version 2.2.9 only.  If a timeout occurred reading a response from
> a backend on a persistent connection, the backend connection was not
> closed.  The response could subsequently be read and delivered to an
> unrelated client.
>
> This issue has been assigned CVE name CVE-2010-2791, and is equivalent
> to CVE-2010-2068 (fixed in 2.2.16) but affects httpd on Unix.  The bug
> was fixed* in 2.2.10 but the security impact was not known at the time.
>
> I'll update http://httpd.apache.org/security/vulnerabilities_22.html to
> reflect this shortly.
>
> Regards, Joe
>
> * fix for 2.2.x branch: http://svn.apache.org/viewvc?rev=699841&view=rev
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.