A security issue and some vulnerabilities have been reported in Apache httpd, which can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service).
1) The security issue is caused due to mod_proxy_http not properly handling certain timeout conditions, which can lead to responses being returned to the wrong users.
Note: This only affects configurations using proxy worker pools on Windows, Netware, and OS2 systems.
2) A vulnerability is caused due to an error within mod_cache when handling requests without a path segment, which can be exploited to cause a crash by sending specially crafted requests.
Note: Successful exploitation requires that the "CacheIgnoreURLSessionIdentifiers" configuration directive and the worker MPM is used.
3) A vulnerability is caused due to an error within mod_dav when handling requests without a path segment, which can be exploited to cause a crash by sending specially crafted requests.
Note: Successful exploitation requires that the worker MPM is used.
Solution: Update to version 2.2.16.
Provided and/or discovered by: The vendor credits:
1) Loren Anderson
2, 3) Mark Drayton
Original Advisory: http://httpd.apache.org/security/vulnerabilities_22.html
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Apache Information Disclosure and Denial of Service Vulnerabilities