apache: mod_proxy reverse proxy exposure [LWN.net]

Package(s):

apache

CVE #(s):

CVE-2011-3368

Created:

October 10, 2011

Updated:

November 10, 2011

Description:

From the Mandriva advisory:

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

Alerts:

Ubuntu	USN-1259-1	2011-11-11
CentOS	CESA-2011:1392	2011-11-09
openSUSE	openSUSE-SU-2011:1217-1	2011-11-04
SUSE	SUSE-SU-2011:1215-1	2011-11-04
SUSE	SUSE-SU-2011:1229-1	2011-11-09
Scientific Linux	SL-http-20111020	2011-10-20
Scientific Linux	SL-http-20111020	2011-10-20
CentOS	CESA-2011:1392	2011-10-20
Red Hat	RHSA-2011:1391-01	2011-10-20
Red Hat	RHSA-2011:1392-01	2011-10-20
Mandriva	MDVSA-2011:144	2011-09-08
Debian	DSA-2405-1	2012-02-06
openSUSE	openSUSE-SU-2012:0248-1	2012-02-09
openSUSE	openSUSE-SU-2012:0212-1	2012-02-09
Slackware	SSA:2012-041-01	2012-02-10
Red Hat	RHSA-2012:0128-01	2012-02-13
CentOS	CESA-2012:0128	2012-02-14
Oracle	ELSA-2012-0128	2012-02-14
Scientific Linux	SL-http-20120214	2012-02-14
Fedora	FEDORA-2012-1598	2012-02-21
Red Hat	RHSA-2012:0323-01	2012-02-21
Fedora	FEDORA-2012-1642	2012-03-06
Scientific Linux	SL-http-20120306	2012-03-06
Oracle	ELSA-2012-0323	2012-03-09
Gentoo	201206-25	2012-06-24
openSUSE	openSUSE-SU-2013:0243-1	2013-02-05
openSUSE	openSUSE-SU-2013:0248-1	2013-02-05

(Log in to post comments)