[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2009-1191: mod_proxy_ajp information disclosure vulnerability
From:       Vincent Danen <vdanen () redhat ! com>
Date:       2009-04-23 17:11:22
Message-ID: 20090423171122.GF4522 () redhat ! com
[Download RAW message or body]

This is just a heads up about an information disclosure vulnerability in
mod_proxy_ajp, similar to the issue in mod_jk (CVE-2008-5519).

This only affects mod_proxy_ajp in httpd 2.2.11; prior versions do not
have this problem.  The issue was caused by the following patch:

http://svn.apache.org/viewvc?view=rev&revision=711779

The patch that will be applied to httpd 2.2.12 is here:

http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/PR46949.diff

More information can be found in our bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1191

This would only affect earlier versions of Apache if you had backported
the problem patch to earlier versions.

-- 
Vincent Danen / Red Hat Security Response Team 
[prev in list] [next in list] [prev in thread] [next in thread]