Two issues have been found in the Apache HTTPD web server: mod_proxy_ajp would return the wrong status code if it encountered an error, causing a backend server to be put into an error state until the retry timeout expired. A remote attacker could send malicious requests to trigger this issue, resulting in denial of service. A flaw in the core subrequest process code was found, which could lead to a daemon crash or disclosure of sensitive information if the headers of a subrequest were modified by modules such as mod_headers.