Executive Summary

Informations
Name MDVSA-2010:153 First vendor Publication 2010-08-16
Vendor Mandriva Last vendor Modification 2010-08-16
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple vulnerabilities has been found and corrected in apache:

The mod_cache and mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path (CVE-2010-1452).

mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions (CVE-2010-2791).

Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2010:153

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11491
 
Oval ID: oval:org.mitre.oval:def:11491
Title: DEPRECATED: Apache 'mod_proxy_http' Timeout Handling Information Disclosure Vulnerability
Description: mod_proxy_http.c in mod_proxy_http in the Apache HTTP Server 2.2.9 through 2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, and OS/2, in certain configurations involving proxy worker pools, does not properly detect timeouts, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request.
Family: windows Class: vulnerability
Reference(s): CVE-2010-2068
 Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows 7
 Product(s): Apache
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11683
 
Oval ID: oval:org.mitre.oval:def:11683
Title: Apache 'mod_cache' and 'mod_dav' Request Handling Denial of Service Vulnerability
Description: The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path.
Family: windows Class: vulnerability
Reference(s): CVE-2010-1452
 Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows 7
 Product(s): Apache
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12341
 
Oval ID: oval:org.mitre.oval:def:12341
Title: HP-UX Apache-based Web Server, Local Information Disclosure, Increase of Privilege, Remote Denial of Service (DoS)
Description: The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path.
Family: unix Class: vulnerability
Reference(s): CVE-2010-1452
 Version: 12
Platform(s): HP-UX 11
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22131
 
Oval ID: oval:org.mitre.oval:def:22131
Title: RHSA-2010:0659: httpd security and bug fix update (Moderate)
Description: mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions.
Family: unix Class: patch
Reference(s): RHSA-2010:0659-01
CESA-2010:0659
CVE-2010-1452
CVE-2010-2791
 Version: 29
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
 Product(s): httpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22935
 
Oval ID: oval:org.mitre.oval:def:22935
Title: ELSA-2010:0659: httpd security and bug fix update (Moderate)
Description: mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions.
Family: unix Class: patch
Reference(s): ELSA-2010:0659-01
CVE-2010-1452
CVE-2010-2791
 Version: 13
Platform(s): Oracle Linux 5
 Product(s): httpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27980
 
Oval ID: oval:org.mitre.oval:def:27980
Title: DEPRECATED: ELSA-2010-0659 -- httpd security and bug fix update (moderate)
Description: [2.2.3-43.0.1.el5_5.3 ] - replace index.html with Oracle's index page oracle_index.html - update vstring and distro in specfile [2.2.3-43.3] - mod_ssl: improved fix for SSLRequire's OID() function (#625452) [2.2.3-43.2] - add security fixes for CVE-2010-1452, CVE-2010-2791 (#623210) - mod_deflate: rebase to 2.2.15 (#625435) - stop multiple invocations of filter init functions (#625451)
Family: unix Class: patch
Reference(s): ELSA-2010-0659
CVE-2010-1452
CVE-2010-2791
 Version: 4
Platform(s): Oracle Linux 5
 Product(s): httpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6931
 
Oval ID: oval:org.mitre.oval:def:6931
Title: Apache 'mod_proxy_http' Timeout Detection Vulnerability
Description: mod_proxy_http.c in mod_proxy_http in the Apache HTTP Server 2.2.9 through 2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, and OS/2, in certain configurations involving proxy worker pools, does not properly detect timeouts, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request.
Family: windows Class: vulnerability
Reference(s): CVE-2010-2068
 Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows 7
 Product(s): Apache
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 183

OpenVAS Exploits

Date Description
2012-08-10 Name : Gentoo Security Advisory GLSA 201206-25 (apache)
File : nvt/glsa_201206_25.nasl
2011-09-21 Name : Debian Security Advisory DSA 2298-1 (apache2)
File : nvt/deb_2298_1.nasl
2011-09-21 Name : Debian Security Advisory DSA 2298-2 (apache2)
File : nvt/deb_2298_2.nasl
2011-08-26 Name : Mac OS X v10.6.6 Multiple Vulnerabilities (2011-001)
File : nvt/secpod_macosx_su11-001.nasl
2011-01-04 Name : HP-UX Update for Apache-based Web Server HPSBUX02612
File : nvt/gb_hp_ux_HPSBUX02612.nasl
2010-12-02 Name : Ubuntu Update for apache2 vulnerabilities USN-1021-1
File : nvt/gb_ubuntu_USN_1021_1.nasl
2010-10-19 Name : Apache 'mod_proxy_http' 2.2.9 for Unix Timeout Handling Information Disclosur...
File : nvt/gb_apache_42102.nasl
2010-09-07 Name : RedHat Update for httpd RHSA-2010:0659-01
File : nvt/gb_RHSA-2010_0659-01_httpd.nasl
2010-08-21 Name : FreeBSD Ports: apache
File : nvt/freebsd_apache17.nasl
2010-08-20 Name : Mandriva Update for apache MDVSA-2010:152 (apache)
File : nvt/gb_mandriva_MDVSA_2010_152.nasl
2010-08-20 Name : Mandriva Update for apache MDVSA-2010:153 (apache)
File : nvt/gb_mandriva_MDVSA_2010_153.nasl
2010-08-16 Name : Fedora Update for httpd FEDORA-2010-12478
File : nvt/gb_fedora_2010_12478_httpd_fc13.nasl
2010-07-27 Name : Apache HTTP Server Multiple Remote Denial of Service Vulnerabilities
File : nvt/gb_apache_41963.nasl
0000-00-00 Name : Slackware Advisory SSA:2010-240-02 httpd
File : nvt/esoft_slk_ssa_2010_240_02.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
66745 Apache HTTP Server Multiple Modules Pathless Request Remote DoS
65654 Apache HTTP Server mod_proxy_http mod_proxy_http.c Timeout Detection Weakness...

Nessus® Vulnerability Scanner

Date Description
2015-12-30 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL23332326.nasl - Type : ACT_GATHER_INFO
2013-08-11 Name : The remote web server may be affected by multiple vulnerabilities.
File : oracle_http_server_cpu_jul_2013.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0659.nasl - Type : ACT_GATHER_INFO
2013-06-29 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0659.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100830_httpd_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-06-25 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201206-25.nasl - Type : ACT_GATHER_INFO
2012-04-20 Name : The remote web server is affected by multiple vulnerabilities.
File : hpsmh_7_0_0_24.nasl - Type : ACT_GATHER_INFO
2011-12-13 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_apache2-110831.nasl - Type : ACT_GATHER_INFO
2011-08-30 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2298.nasl - Type : ACT_GATHER_INFO
2011-03-22 Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_10_6_7.nasl - Type : ACT_GATHER_INFO
2011-03-22 Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2011-001.nasl - Type : ACT_GATHER_INFO
2010-11-28 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1021-1.nasl - Type : ACT_GATHER_INFO
2010-10-20 Name : The remote web server is affected by multiple vulnerabilities.
File : apache_2_0_64.nasl - Type : ACT_GATHER_INFO
2010-09-17 Name : The remote web server is affected by multiple vulnerabilities.
File : hpsmh_6_2_0_12.nasl - Type : ACT_GATHER_INFO
2010-08-31 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0659.nasl - Type : ACT_GATHER_INFO
2010-08-29 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2010-240-02.nasl - Type : ACT_GATHER_INFO
2010-08-17 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2010-152.nasl - Type : ACT_GATHER_INFO
2010-08-17 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2010-153.nasl - Type : ACT_GATHER_INFO
2010-08-14 Name : The remote Fedora host is missing a security update.
File : fedora_2010-12478.nasl - Type : ACT_GATHER_INFO
2010-07-30 Name : The remote web server is affected by multiple vulnerabilities.
File : apache_2_2_16.nasl - Type : ACT_GATHER_INFO
2010-07-26 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_28a7310f985511df8d36001aa0166822.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2017-08-17 09:25:22
  • Multiple Updates
2016-08-23 09:26:27
  • Multiple Updates
2016-08-20 12:08:25
  • Multiple Updates
2016-06-28 20:09:08
  • Multiple Updates
2014-02-17 11:41:38
  • Multiple Updates