Candidate: CVE-2011-3639
PublicDate: 2011-11-30 04:05:00 UTC
References: 
 http://seclists.org/oss-sec/2011/q4/159
 http://marc.info/?l=apache-httpd-dev&m=131955975103801&w=2
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3639
 https://ubuntu.com/security/notices/USN-1259-1
Description:
 The mod_proxy module in the Apache HTTP Server 2.0.x through 2.0.64 and
 2.2.x before 2.2.18, when the Revision 1179239 patch is in place, does not
 properly interact with use of (1) RewriteRule and (2) ProxyPassMatch
 pattern matches for configuration of a reverse proxy, which allows remote
 attackers to send requests to intranet servers by using the HTTP/0.9
 protocol with a malformed URI containing an initial @ (at sign) character.
 NOTE: this vulnerability exists because of an incomplete fix for
 CVE-2011-3368.
Ubuntu-Description: 
Notes: 
Bugs: 
 https://bugzilla.novell.com/show_bug.cgi?id=722545
Priority: medium
Discovered-by: Marcus Meissner
Assigned-to: sbeattie
CVSS: 

Patches_apache2:
 upstream: http://svn.apache.org/viewvc?view=revision&revision=1100200
upstream_apache2: released (2.2.18)
hardy_apache2: released (2.2.8-1ubuntu0.22)
lucid_apache2: released (2.2.14-5ubuntu8.7)
maverick_apache2: released (2.2.16-1ubuntu3.4)
natty_apache2: released (2.2.17-1ubuntu1.4)
oneiric_apache2: not-affected (pre 2.2.18 only)
devel_apache2: not-affected (pre 2.2.18 only)