Bug 202327 - www-servers/apache < 2.2.6-r5 mod_imagemap Cross-site scripting (XSS) vulnerability (CVE-2007-5000)
Bug#: 202327 (CVE-2007-5000) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: lars@chaotika.org
Component: Vulnerabilities
URL:  http://httpd.apache.org/security/vulnerabilities_22.html
Summary: www-servers/apache < 2.2.6-r5 mod_imagemap Cross-site scripting (XSS) vulnerability (CVE-2007-5000)
Keywords:  
Status Whiteboard: B4 [noglsa]
Opened: 2007-12-14 21:06 0000
Description:   Opened: 2007-12-14 21:06 0000 
CVE-2007-5000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5000):
  Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the
  Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2)
  mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows
  remote attackers to inject arbitrary web script or HTML via unspecified
  vectors.

------- Comment #1 From Lars Hartmann 2007-12-14 21:28:28 0000 ------- 
maintainers - please advice

------- Comment #2 From Jakub Moc (RETIRED) 2007-12-14 21:49:21 0000 ------- 
*** Bug 202326 has been marked as a duplicate of this bug. ***

------- Comment #3 From Benedikt Böhm 2007-12-14 22:01:03 0000 ------- 
mod_imap/mod_imagemap is not installed by default, but can be enabled via
/etc/apache2/apache2-builtin-mods (<2.2.6-r4) or APACHE2_MODULES (>=2.2.6-r4)

i'm not sure what the security policy is here, but i assume very little usage
of mod_imap/mod_imagemap

nevertheless, i will provide a fix for 2.2 asap

------- Comment #4 From Robert Buchholz 2007-12-14 22:06:33 0000 ------- 
It is installed, but not enabled by default, you mean?

Policy is to treat common packages (which Apache is) as "A" in default
configurations, "B" otherwise. That means, we still need to fix this, it only
decreases priority (target delay is 20 days) and chances of getting a GLSA.

------- Comment #5 From Benedikt Böhm 2007-12-14 22:09:26 0000 ------- 
yes, that's what i meant ...

------- Comment #6 From Benedikt Böhm 2007-12-14 22:37:36 0000 ------- 
apache-2.2.6-r5 in cvs, ready for stabilization, 2.0 support ends before the
target delay, no fixes.

------- Comment #7 From Robert Buchholz 2007-12-14 22:43:56 0000 ------- 
That's your call.

Arches, please test and mark stable www-servers/apache-2.2.6-r5.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"

------- Comment #8 From Benedikt Böhm 2007-12-14 22:56:43 0000 ------- 
even if it does not really belong here, i especially ask arm, mips, s390 and sh
to stabilize too ASAP, 2.0 support ends on 31-12-2007 and will leave those
archs with no stable apache.

------- Comment #9 From Benedikt Böhm 2007-12-15 14:35:39 0000 ------- 
FYI, this is also fixed in 2.2.6-r6 now (the first unmasked USE_EXPAND version,
do not stabilize!)

------- Comment #10 From Jeroen Roovers 2007-12-15 17:57:27 0000 ------- 
Stable for HPPA.

------- Comment #11 From Tobias Scherbaum 2007-12-15 20:03:16 0000 ------- 
ppc stable

------- Comment #12 From Raúl Porcel 2007-12-16 12:41:04 0000 ------- 
alpha/ia64/sparc/x86 stable

------- Comment #13 From Markus Rothe 2007-12-16 17:14:05 0000 ------- 
ppc64 stable

------- Comment #14 From Peter Weller 2007-12-16 17:37:17 0000 ------- 
amd64 done.

------- Comment #15 From Lars Hartmann 2007-12-17 10:56:00 0000 ------- 
This one here is ready for glsa decision

------- Comment #16 From Robert Buchholz 2008-01-05 03:24:13 0000 ------- 
Voting NO.

------- Comment #17 From Pierre-Yves Rofes 2008-01-05 21:47:45 0000 ------- 
no too, and closing without glsa.

------- Comment #18 From Peter Volkov 2008-03-06 09:58:47 0000 ------- 
Does not affect current (2008.0) release. Removing release.