Ubuntu
apache2 package

Server mod_proxy_ajp Denial of Service Vulnerability

Bug #871674 reported by Gabrieli Gianpietro
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Fix Released
Undecided
Steve Beattie

Bug Description

A vulnerability exists in Apache HTTP Server due to an error within the processing of malformed HTTP requests in mod_proxy_ajp when being used in combination with mod_proxy_balancer.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for the heads up, assigning to myself.

Changed in apache2 (Ubuntu):
status: New → In Progress
assignee: nobody → Steve Beattie (sbeattie)
visibility: private → public
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.20-1ubuntu1.1

---------------
apache2 (2.2.20-1ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests. (patch courtesy of Michael Jeanson)
    - CVE-2011-3368
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/214_CVE-2011-3192_regression.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option, along
      with a staged fix for the 2.2.22 release.
 -- Steve Beattie <email address hidden> Mon, 07 Nov 2011 14:01:10 -0800

Changed in apache2 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.