CVE-2010-2791

Publication date 5 August 2010

Last updated 4 August 2025

Description

mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
apache2	10.10 maverick	Not affected
	10.04 LTS lucid	Not affected
	9.10 karmic	Not affected
	9.04 jaunty	Ignored end of life
	8.04 LTS hardy	Not affected
	6.06 LTS dapper	Not affected

Notes

mdeslaur

only affected 2.2.9...got fixed in 2.2.10 introduced in http://svn.apache.org/viewvc?view=revision&revision=660936

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
apache2	Upstream: http://svn.apache.org/viewvc?view=revision&revision=699841