Flaws found in Apache HTTP Server allow attacker to launch DoS and steal information. The first vulnerability is due to improper handling „%(cookiename)C“ log forms. It can be exploited to crash server via crafted cookie. The vulnerability was confirmed in versions 2.2.17, 2.2.18, 2.2.19, 2.2.20 and 2.2.21.
Another vulnerability is due to an error when displaying 400 error messager. It allows to steal „httpOnly“ cookies. The flaw was found in versions 2.2.0, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20 and 2.2.21.

Source: Secunia
30.01.2012