First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 118875
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Thierry Carrez (RETIRED) <koon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 118875 depends on: Show dependency tree
Bug 118875 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-01-13 06:04 0000 
The "mod_imap" module (which provides support for image maps) did not
properly escape the "referer" URL which rendered it vulnerable against
a cross-site scripting attack. A malicious web page (or HTML email)
could trick a user into visiting a site running the vulnerable mod_imap,
and employ cross-site-scripting techniques to gather sensitive user
information from that site. (CVE-2005-3352)

------- Comment #1 From Thierry Carrez (RETIRED) 2006-01-13 06:07:30 0000 ------- 
2.0 backported patch at :
http://issues.apache.org/bugzilla/show_bug.cgi?id=37874#c2

This should be grouped with bug 115324 for a common GLSA.

------- Comment #2 From Michael Stewart (vericgar) (RETIRED) 2006-01-16 19:00:47 0000 ------- 
Revision bumps to fix this and bug 115324 are now in CVS.

Upgrade instructions in the GLSA will need to make clear the following:

--
If you are running new-style apache (apache 2.0.54-r30 or above, current stable
is 2.0.55 on most archs) you will need to upgrade to apache 2.0.55-r1.

If you are running old-style apache (current stable is 2.0.54-r15) you will
need to upgrade to apache 2.0.54-r16. It is strongly encouraged to upgrade to
new-style apache configuration by following the instructions at
http://www.gentoo.org/doc/en/apache-upgrading.xml as old-style configuration
will be unsupported (and removed from the tree) after March 1st, 2006.
--

Both apache 2.0.54-r16 and 2.0.55-r1 need to be tested and marked stable.

------- Comment #3 From Thierry Carrez (RETIRED) 2006-01-18 06:31:34 0000 ------- 
Archs please test and mark both apache 2.0.54-r16 and 2.0.55-r1 stable.
Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86"

------- Comment #4 From Tobias Scherbaum 2006-01-18 09:52:56 0000 ------- 
ppc stable

------- Comment #5 From Gustavo Zacarias (RETIRED) 2006-01-18 10:12:29 0000 ------- 
sparc stable.

------- Comment #6 From Markus Rothe 2006-01-18 11:49:22 0000 ------- 
stable on ppc64

------- Comment #7 From René Nussbaumer 2006-01-18 14:26:09 0000 ------- 
Stable on hppa

------- Comment #8 From Marcus D. Hanwell 2006-01-18 16:07:02 0000 ------- 
Stable on amd64.

------- Comment #9 From Mark Loeser 2006-01-18 17:11:28 0000 ------- 
x86 done

------- Comment #10 From Bryan Østergaard (RETIRED) 2006-01-19 00:45:02 0000 ------- 
Stable on alpha + ia64.

------- Comment #11 From Stefan Cornelius (RETIRED) 2006-01-22 15:41:00 0000 ------- 
Ready for glsa vote. (not sure about my vote yet, probably "yes" since my last
votes about XSS were "no" - and that wasn't what the majority voted for)

------- Comment #12 From Thierry Carrez (RETIRED) 2006-01-23 00:55:22 0000 ------- 
Yes, a common one with bug 115324

------- Comment #13 From Michael Stewart (vericgar) (RETIRED) 2006-01-27 17:41:04 0000 ------- 
It seems I overlooked that this also affects apache 1.3. I won't have time to
patch it until Sunday - maybe someone else can step up? kloeri?

------- Comment #14 From Sune Kloppenborg Jeppesen 2006-01-27 23:01:54 0000 ------- 
Back to ebuild to get a fixed 1.3 version.

------- Comment #15 From Michael Stewart (vericgar) (RETIRED) 2006-01-31 17:50:34 0000 ------- 
Fixes for 1.3 are now in CVS.

old-style needs to update to 1.3.34-r2
new-style needs to update to 1.3.34-r11

------- Comment #16 From Stefan Cornelius (RETIRED) 2006-01-31 18:30:23 0000 ------- 
arches please test+stable 1.3.34-r2 and 1.3.34-r11, thx

------- Comment #17 From Markus Rothe 2006-01-31 22:22:29 0000 ------- 
stable on ppc64

------- Comment #18 From René Nussbaumer 2006-02-01 01:38:14 0000 ------- 
Stable on hppa

------- Comment #19 From Simon Stelling (RETIRED) 2006-02-01 02:28:25 0000 ------- 
i get linking errors for both -r2 and -r1 (so it's not related to the patch),
could someone else from amd64 please check this out?

------- Comment #20 From Gustavo Zacarias (RETIRED) 2006-02-01 05:26:59 0000 ------- 
forgot to mention... sparc stable! :)

------- Comment #21 From Tobias Scherbaum 2006-02-01 08:55:59 0000 ------- 
ppc stable

------- Comment #22 From Bryan Østergaard (RETIRED) 2006-02-01 11:20:27 0000 ------- 
x86 stable.

------- Comment #23 From Simon Stelling (RETIRED) 2006-02-05 16:23:06 0000 ------- 
<aja> blubb: http, ssl and imap support all test good.

amd64 stable

------- Comment #24 From Sune Kloppenborg Jeppesen 2006-02-06 10:24:32 0000 ------- 
GLSA 200602-03

arm, mips, s390 don't forget to mark stable to benifit from the GLSA.
First Last Prev Next    No search results available      Search page      Enter new bug