From ${URL} : Description Multiple vulnerabilities have been reported in Apache HTTP Server, which can be exploited by malicious people to conduct cross-site scripting attacks. 1) Certain input related to hostnames and URIs in the mod_info, mod_ldap, mod_status, mod_imagemap, and mod_proxy_ftp modules is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Certain unspecified input passed to the manager interface of the mod_proxy_balancer module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities have been reported in versions prior to 2.4.4. Solution Update to version 2.4.4. Provided and/or discovered by The vendor credits: 1) Jim Jagielski, Stefan Fritsch, and Niels Heinen. 2) Jim Jagielski and Niels Heinen. Original Advisory http://www.apache.org/dist/httpd/CHANGES_2.4.4 http://www.apache.org/dist/httpd/Announcement2.4.html
+ 27 Feb 2013; Patrick Lauer <patrick@gentoo.org> +apache-2.4.4.ebuild: + Bump for #459264 #438758 Ebuilds are there, stabilization should be: =app-admin/apache-tools-2.4.4 =www-servers/apache-2.4.4
(In reply to comment #1) > + 27 Feb 2013; Patrick Lauer <patrick@gentoo.org> +apache-2.4.4.ebuild: > + Bump for #459264 #438758 > > Ebuilds are there, stabilization should be: > > =app-admin/apache-tools-2.4.4 > =www-servers/apache-2.4.4 Thanks, Patrick. Arches, please test them and mark stable.
amd64 stable
x86 stable
Stable for HPPA.
Previous stable www-servers/apache-2.2.24 isn't affected by these vulnerabilities, why did 2.4.4 need to be stabilized?
ppc done
CVE-2012-4558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4558): Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string. CVE-2012-3499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3499): Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules.
security: please lower this stablereq to 2.2.24. 2.2.24 is NOT vulnerable per the CVEs. https://www.apache.org/dist/httpd/CHANGES_2.2.24 2.4 is a major upgrade, suddenly going stable is not cool. Arches should drop 2.4 back to ~arch.
https://www.apache.org/dist/httpd/CHANGES_2.2.24 The mentioned CVE's are fixed in 2.2.24 so stabilizing this *major* release which still has a lot of issues was IMHO totally unnecessarily.
QA Action: www-servers/apache and app-admin/apache-tools for 2.4 are now ~arch again. Please do not follow instructions blindly like drones next time.
(In reply to comment #11) > Please do not follow instructions blindly like drones next time. When the advisory came out, the only fixed version was the 2.4.4.
(In reply to comment #11) > QA Action: www-servers/apache and app-admin/apache-tools for 2.4 are now > ~arch again. > > Please do not follow instructions blindly like drones next time. THANK YOU! The 2.4 upgrade should probably get a news item at the very least. I can imagine that more than a few users may have started upgrading as a result of getting this, and now they're likely to be stuck on ~arch until stable catches up.