[Bug 239894] Re: CVE-2008-2364 Apache2 mod_proxy_http.c DOS

Tue, 10 Mar 2009 08:48:09 -0700 

This bug was fixed in the package apache2 - 2.2.4-3ubuntu0.2

---------------
apache2 (2.2.4-3ubuntu0.2) gutsy-security; urgency=low

  [ Emanuele Gentili ]
  * SECURITY UPDATE:
   + debian/patches/111_CVE-2008-2364.dpatch (LP: #239894)
    - The ap_proxy_http_process_response function in mod_proxy_http.c
      in the mod_proxy module does not limit the number of forwarded
      interim responses, which allows remote HTTP servers to cause a
      denial of service (memory consumption) via a large number of
      interim responses.
   + References
    - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2364

  [ Marc Deslauriers ]
  * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in "413 Request
    Entity Too Large" error message
    - debian/patches/107_CVE-2007-6203.dpatch: properly escape some error
      messages in modules/http/http_protocol.c.
    - CVE-2007-6203
  * SECURITY UPDATE: Cross-site request forgery (CSRF) in balancer-manager in
    mod_proxy_balancer
    - debian/patches/108_CVE-2007-6420.dpatch: generate and validate a nonce in
      modules/proxy/mod_proxy_balancer.c.
    - CVE-2007-6420
  * SECURITY UPDATE: Denial of service via memory leak in the zlib_stateful_init
    function (LP: #224945)
    - debian/patches/109_CVE-2008-1678.dpatch: don't call
      CRYPTO_cleanup_all_ex_data in modules/ssl/mod_ssl.c.
    - CVE-2008-1678
  * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability via UTF-7 encoded
    URLs
    - debian/patches/110_CVE-2008-2168.dpatch: specify a default charset in
      modules/dav/main/mod_dav.c, modules/generators/mod_info.c and
      modules/proxy/mod_proxy_balancer.c.
    - CVE-2008-2168
  * SECURITY UPDATE: Denial of service via large number of interim responses in
    mod_proxy module (LP: #239894)
    - debian/patches/111_CVE-2008-2364.dpatch: updated patch to newer version.
    - CVE-2008-2364
  * SECURITY UPDATE: Cross-site scripting (XSS) vulnerability in the
    mod_proxy_ftp module
    - debian/patches/112_CVE-2008-2939.dpatch: escape the html
      contained in the wildcard value in modules/proxy/mod_proxy_ftp.c.
    - CVE-2008-2939

 -- Marc Deslauriers <marc.deslauri...@ubuntu.com>   Thu, 05 Mar 2009
15:54:32 -0500

** Changed in: apache2 (Ubuntu Gutsy)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-6203

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-6420

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1678

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2168

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2939

** Changed in: apache2 (Ubuntu Hardy)
       Status: Fix Committed => Fix Released

-- 
CVE-2008-2364 Apache2 mod_proxy_http.c DOS
https://bugs.launchpad.net/bugs/239894
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to