Candidate: CVE-2010-2791
PublicDate: 2010-08-05 18:17:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791
 http://httpd.apache.org/security/vulnerabilities_22.html
 http://www.openwall.com/lists/oss-security/2010/07/30/1
Description:
 mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does
 not close the backend connection if a timeout occurs when reading a
 response from a persistent connection, which allows remote attackers to
 obtain a potentially sensitive response intended for a different client in
 opportunistic circumstances via a normal HTTP request.  NOTE: this is the
 same issue as CVE-2010-2068, but for a different OS and set of affected
 versions.
Ubuntu-Description:
Notes:
 mdeslaur> only affected 2.2.9...got fixed in 2.2.10
 mdeslaur> introduced in http://svn.apache.org/viewvc?view=revision&revision=660936
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS: 

Patches_apache2:
 upstream: http://svn.apache.org/viewvc?view=revision&revision=699841
upstream_apache2: released (2.2.10)
dapper_apache2: not-affected (2.0.55-4ubuntu2.11)
hardy_apache2: not-affected (2.2.8-1ubuntu0.18)
jaunty_apache2: ignored (reached end-of-life)
karmic_apache2: not-affected (2.2.12-1ubuntu2.3)
lucid_apache2: not-affected (2.2.14-5ubuntu8.3)
maverick_apache2: not-affected (2.2.16-1ubuntu3)
devel_apache2: not-affected (2.2.16-3ubuntu1)