Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 203088 - www-servers/apache Windows SMB script disclosure (CVE-2007-6514)
Summary: www-servers/apache Windows SMB script disclosure (CVE-2007-6514)
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: B3 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-22 21:46 UTC by Robert Buchholz (RETIRED)
Modified: 2008-01-19 23:17 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 21:46:28 UTC 
CVE-2007-6514 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6514):
  Apache HTTP Server, when running on Linux with a document root on a Windows
  share mounted using smbfs, allows remote attackers to obtain unprocessed
  content such as source files for .php programs via a trailing "\"
  (backslash), which is not handled by the intended AddType directive.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 21:48:27 UTC 
Apache herd, please advise.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2007-12-23 00:41:41 UTC 
as far as i can see, there is no patch available yet .. i'm currently on vacation till Dec 27, but will look at it asap
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-06 18:35:27 UTC 
Any news here?
Comment 4 Benedikt Böhm (RETIRED) gentoo-dev 2008-01-07 22:08:50 UTC 
there is no detailed info/patch i can find until today
Comment 5 Benedikt Böhm (RETIRED) gentoo-dev 2008-01-19 10:09:05 UTC 
according to red hats bugzilla and the nist entry, this only happens on older 2.4 kernels, so this either needs a kernel fix if we even have any 2.4 left, otherwise INVALID
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-01-19 23:17:48 UTC 
No 2.4ers left. Closing.