202327 CVE-2007-5000 2007-12-14 21:06 0000 www-servers/apache < 2.2.6-r5 mod_imagemap Cross-site scripting (XSS) vulnerability (CVE-2007-5000) 2008-03-06 09:58:47 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://httpd.apache.org/security/vulnerabilities_22.html B4 [noglsa] P2 minor --- 1 lars@chaotika.org security@gentoo.org apache-bugs@gentoo.org mips@gentoo.org lars@chaotika.org 2007-12-14 21:06:32 0000 CVE-2007-5000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5000): Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. lars@chaotika.org 2007-12-14 21:28:28 0000 maintainers - please advice jakub@gentoo.org 2007-12-14 21:49:21 0000 *** Bug 202326 has been marked as a duplicate of this bug. *** hollow@gentoo.org 2007-12-14 22:01:03 0000 mod_imap/mod_imagemap is not installed by default, but can be enabled via /etc/apache2/apache2-builtin-mods (<2.2.6-r4) or APACHE2_MODULES (>=2.2.6-r4) i'm not sure what the security policy is here, but i assume very little usage of mod_imap/mod_imagemap nevertheless, i will provide a fix for 2.2 asap rbu@gentoo.org 2007-12-14 22:06:33 0000 It is installed, but not enabled by default, you mean? Policy is to treat common packages (which Apache is) as "A" in default configurations, "B" otherwise. That means, we still need to fix this, it only decreases priority (target delay is 20 days) and chances of getting a GLSA. hollow@gentoo.org 2007-12-14 22:09:26 0000 yes, that's what i meant ... hollow@gentoo.org 2007-12-14 22:37:36 0000 apache-2.2.6-r5 in cvs, ready for stabilization, 2.0 support ends before the target delay, no fixes. rbu@gentoo.org 2007-12-14 22:43:56 0000 That's your call. Arches, please test and mark stable www-servers/apache-2.2.6-r5. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86" hollow@gentoo.org 2007-12-14 22:56:43 0000 even if it does not really belong here, i especially ask arm, mips, s390 and sh to stabilize too ASAP, 2.0 support ends on 31-12-2007 and will leave those archs with no stable apache. hollow@gentoo.org 2007-12-15 14:35:39 0000 FYI, this is also fixed in 2.2.6-r6 now (the first unmasked USE_EXPAND version, do not stabilize!) jer@gentoo.org 2007-12-15 17:57:27 0000 Stable for HPPA. dertobi123@gentoo.org 2007-12-15 20:03:16 0000 ppc stable armin76@gentoo.org 2007-12-16 12:41:04 0000 alpha/ia64/sparc/x86 stable corsair@gentoo.org 2007-12-16 17:14:05 0000 ppc64 stable welp@gentoo.org 2007-12-16 17:37:17 0000 amd64 done. lars@chaotika.org 2007-12-17 10:56:00 0000 This one here is ready for glsa decision rbu@gentoo.org 2008-01-05 03:24:13 0000 Voting NO. py@gentoo.org 2008-01-05 21:47:45 0000 no too, and closing without glsa. pva@gentoo.org 2008-03-06 09:58:47 0000 Does not affect current (2008.0) release. Removing release.