An exposure was found when using mod_proxy in reverse proxy
mode. In certain configurations using RewriteRule with proxy
flag or ProxyPassMatch, a remote attacker could cause the reverse
proxy to connect to an arbitrary server, possibly disclosing
sensitive information from internal web servers not directly
accessible to attacker.
Integer overflow in the ap_pregsub function in server/util.c in
the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through
2.2.21, when the mod_setenvif module is enabled, allows local
users to gain privileges via a .htaccess file with a crafted
SetEnvIf directive, in conjunction with a crafted HTTP request
header, leading to a heap-based buffer overflow.
An additional exposure was found when using mod_proxy in
reverse proxy mode. In certain configurations using RewriteRule
with proxy flag or ProxyPassMatch, a remote attacker could cause
the reverse proxy to connect to an arbitrary server, possibly
disclosing sensitive information from internal web servers
not directly accessible to attacker.
A flaw was found in mod_log_config. If the '%{cookiename}C' log
format string is in use, a remote attacker could send a specific
cookie causing a crash. This crash would only be a denial of
service if using a threaded MPM.
A flaw was found in the handling of the scoreboard. An
unprivileged child process could cause the parent process to
crash at shutdown rather than terminate cleanly.
A flaw was found in the default error response for status code
400. This flaw could be used by an attacker to expose
"httpOnly" cookies when no custom ErrorDocument is specified.