Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2011-3368

Published: 5 October 2011

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

Notes

AuthorNote
tyhicks
Per Novell BTS (comment #16), the proposed fix is incomplete for 0.9
http requests.

Priority

Medium

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
upstream Needs triage

hardy
Released (2.2.8-1ubuntu0.22)
lucid
Released (2.2.14-5ubuntu8.7)
maverick
Released (2.2.16-1ubuntu3.4)
natty
Released (2.2.17-1ubuntu1.4)
oneiric
Released (2.2.20-1ubuntu1.1)
Patches:
upstream: http://svn.apache.org/viewvc?view=revision&revision=1179239
vendor: https://rhn.redhat.com/errata/RHSA-2011-1391.html