A security issue and some vulnerabilities have been reported in Apache httpd, which can be exploited by malicious people to disclose potentially sensitive information and by malicious users and malicious people to cause a DoS (Denial of Service).

1) The security issue is caused due to mod_proxy_http not properly handling certain timeout conditions, which can lead to responses being returned to the wrong users.

Note: This only affects configurations using proxy worker pools on Windows, Netware, and OS2 systems.

2) A vulnerability is caused due to an error within mod_cache when handling requests without a path segment, which can be exploited to cause a crash by sending specially crafted requests.

Note: Successful exploitation requires that the "CacheIgnoreURLSessionIdentifiers" configuration directive and the worker MPM is used.

3) A vulnerability is caused due to an error within mod_dav when handling requests without a path segment, which can be exploited to cause a crash by sending specially crafted requests.

Note: Successful exploitation requires that the worker MPM is used.

Solution
Update to version 2.2.16.

Provided and/or discovered by
The vendor credits:
1) Loren Anderson
2, 3) Mark Drayton

Changelog
Further details available to Secunia VIM customers

Original Advisory
http://httpd.apache.org/security/vulnerabilities_22.html
http://mail-archives.apache.org/mod_mbox/httpd-announce/201006.mbox/%3C4C12933D.4060400@apache.org%3E
http://www.apache.org/dist/httpd/CHANGES_2.2.16
http://mail-archives.apache.org/mod_mbox/www-announce/201007.mbox/%3CAANLkTi=io5eq0PNY+EJ5poxOCF0wBZuqvYpdX4oZGXLJ@mail.gmail.com%3E

Alternate/detailed remediation
Further details available in Customer Area

Deep Links
Links available to Secunia VIM customers