2010年6月20日

[installer 2410] apache-2.2.15, 2.3.5 CVE-2010-2068 patches

apache-2.2.15, 2.3.5 用の CVE-2010-2068 修正パッチが出ています。

http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch

http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch

# CVE-2010-2068; Timeout detection flaw causes proxied response to be sent
# as the response to a different request, and potentially served

# to a different client, from the HTTP proxy pool worker pipeline.
# This may represent a confidential data revealing flaw.
#
# Only affects mod_proxy_http.c on Windows, Netware and OS2 platforms.
#
# Note: This patch has an additional, platform-independent change to
# mark the back-end connection for closing ("backend->close = 1;").
# That code is not required to resolve CVE-2010-2068 on any platform.
#
# Is only triggered by proxy pools configured for timeouts shorter than the
# backend server response delay.
#
# Only affects httpd versions 2.2.9 through 2.2.15, 2.3.4-alpha, 2.3.5-alpha.
# Note that versions prior to 2.2.9 were not affected, including 1.3 and 2.0,
# as the proxy worker pool feature was not yet introduced.
#
# No deliberate exploits are known at this time, however affected users are
# cautioned to assume it may be maliciously exploited in the future.
#
# The straightforward workaround to disable mod_proxy_http's reuse of backend
# connection pipelines is to set the following global directive;
#
# SetEnv proxy-nokeepalive 1
#
# This workaround bypasses all ProxyPass/ProxySet pool options which trigger
# connection pipelines, allowing them to remain in the configuration file
# until the patched module can be deployed.
#
# Binary versions of this patched module for Windows and Netware may be found
# in the corresponding http://www.apache.org/dist/httpd/binaries/ platform
# distribution tree, until new 2.2 and 2.3-alpha releases become available.
#
# Further details organized by httpd release may be available from;
#
# http://httpd.apache.org/security_report.html

----
こがよういちろう


投稿者 xml-rpc : 2010年6月20日 03:25
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/96511
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。