enterprise-support team mailing list archive

Thread
Date

[Bug 871674] Re: Server mod_proxy_ajp Denial of Service Vulnerability

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <871674@xxxxxxxxxxxxxxxxxx>
Date: Thu, 10 Nov 2011 22:04:50 -0000
Reply-to: Bug 871674 <871674@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package apache2 - 2.2.20-1ubuntu1.1

---------------
apache2 (2.2.20-1ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests. (patch courtesy of Michael Jeanson)
    - CVE-2011-3368
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/214_CVE-2011-3192_regression.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option, along
      with a staged fix for the 2.2.22 release.
 -- Steve Beattie <sbeattie@xxxxxxxxxx>   Mon, 07 Nov 2011 14:01:10 -0800

** Changed in: apache2 (Ubuntu)
       Status: In Progress => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-3192

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-3368

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/871674

Title:
  Server mod_proxy_ajp Denial of Service Vulnerability

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/871674/+subscriptions