Server mod_proxy_ajp Denial of Service Vulnerability

Bug #871674 reported by Gabrieli Gianpietro on 2011-10-10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Steve Beattie

Bug Description

A vulnerability exists in Apache HTTP Server due to an error within the processing of malformed HTTP requests in mod_proxy_ajp when being used in combination with mod_proxy_balancer.

Steve Beattie (sbeattie) wrote :

Thanks for the heads up, assigning to myself.

Changed in apache2 (Ubuntu):
status: New → In Progress
assignee: nobody → Steve Beattie (sbeattie)
visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.20-1ubuntu1.1

apache2 (2.2.20-1ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests. (patch courtesy of Michael Jeanson)
    - CVE-2011-3368
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
    - CVE-2011-3348
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/214_CVE-2011-3192_regression.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option, along
      with a staged fix for the 2.2.22 release.
 -- Steve Beattie <email address hidden> Mon, 07 Nov 2011 14:01:10 -0800

Changed in apache2 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers