#
# CVE-2010-2068; Timeout detection flaw causes proxied response to be sent
#                as the response to a different request, and potentially served
#                to a different client, from the HTTP proxy pool worker pipeline.
#                This may represent a confidential data revealing flaw.
#
# Only affects mod_proxy_http.c on Windows, Netware and OS2 platforms.
#
#     Note: This patch has an additional, platform-independent change to
#     mark the back-end connection for closing ("backend->close = 1;").
#     That code is not required to resolve CVE-2010-2068 on any platform.
#
# Is only triggered by proxy pools configured for timeouts shorter than the 
# backend server response delay.
#
# Only affects httpd versions 2.2.9 through 2.2.15, 2.3.4-alpha, 2.3.5-alpha.
# Note that versions prior to 2.2.9 were not affected, including 1.3 and 2.0,
# as the proxy worker pool feature was not yet introduced.
#
# No deliberate exploits are known at this time, however affected users are 
# cautioned to assume it may be maliciously exploited in the future.
#
# The straightforward workaround to disable mod_proxy_http's reuse of backend
# connection pipelines is to set the following global directive;
#
#  SetEnv proxy-nokeepalive 1
#
# This workaround bypasses all ProxyPass/ProxySet pool options which trigger
# connection pipelines, allowing them to remain in the configuration file
# until the patched module can be deployed.
#
# Binary versions of this patched module for Windows and Netware may be found 
# in the corresponding http://www.apache.org/dist/httpd/binaries/ platform
# distribution tree, until new 2.2 and 2.3-alpha releases become available.
#
# Further details organized by httpd release may be available from;
#
#   http://httpd.apache.org/security_report.html
#
#
--- ../httpd-2.2.15/modules/proxy/mod_proxy_http.c	Sat Feb 27 13:49:36 2010
+++ modules/proxy/mod_proxy_http.c	Fri Jun 11 12:54:18 2010
@@ -1401,7 +1401,7 @@
             ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r,
                           "proxy: error reading status line from remote "
                           "server %s", backend->hostname);
-            if (rc == APR_TIMEUP) {
+            if (APR_STATUS_IS_TIMEUP(rc)) {
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                               "proxy: read timeout");
             }
@@ -1417,7 +1417,7 @@
              * we normally would handle timeouts
              */
             if (r->proxyreq == PROXYREQ_REVERSE && c->keepalives &&
-                rc != APR_TIMEUP) {
+                !APR_STATUS_IS_TIMEUP(rc)) {
                 apr_bucket *eos;
 
                 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
@@ -1449,6 +1449,8 @@
                     APR_BUCKET_INSERT_BEFORE(eos, e);
                 }
                 ap_pass_brigade(r->output_filters, bb);
+                /* Mark the backend connection for closing */
+                backend->close = 1;
                 /* Need to return OK to avoid sending an error message */
                 return OK;
             }