Bugzilla Bug 202327

CVE-2007-5000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5000):
  Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the
  Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2)
  mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows
  remote attackers to inject arbitrary web script or HTML via unspecified
  vectors.

maintainers - please advice

*** Bug 202326 has been marked as a duplicate of this bug. ***

mod_imap/mod_imagemap is not installed by default, but can be enabled via
/etc/apache2/apache2-builtin-mods (<2.2.6-r4) or APACHE2_MODULES (>=2.2.6-r4)

i'm not sure what the security policy is here, but i assume very little usage
of mod_imap/mod_imagemap

nevertheless, i will provide a fix for 2.2 asap

It is installed, but not enabled by default, you mean?

Policy is to treat common packages (which Apache is) as "A" in default
configurations, "B" otherwise. That means, we still need to fix this, it only
decreases priority (target delay is 20 days) and chances of getting a GLSA.

yes, that's what i meant ...

apache-2.2.6-r5 in cvs, ready for stabilization, 2.0 support ends before the
target delay, no fixes.

That's your call.

Arches, please test and mark stable www-servers/apache-2.2.6-r5.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"

even if it does not really belong here, i especially ask arm, mips, s390 and sh
to stabilize too ASAP, 2.0 support ends on 31-12-2007 and will leave those
archs with no stable apache.

FYI, this is also fixed in 2.2.6-r6 now (the first unmasked USE_EXPAND version,
do not stabilize!)

Stable for HPPA.

ppc stable

alpha/ia64/sparc/x86 stable

ppc64 stable

amd64 done.

This one here is ready for glsa decision

Voting NO.

no too, and closing without glsa.

Does not affect current (2008.0) release. Removing release.