Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 Reproducible: Always Steps to Reproduce: Only the remaining 1.3.27 ebuilds of Apache seem to be affected, but I couldn't find any reference whether this has already been fixed in those older ebuilds (no GLSA or bugs in Bugzilla). I filed this bug since older versions are not masked but could be affected and there are probably a dozen reasons for some users to use an older version for a specific reason (for example a specific plugin, like OpenGroupware). I suggest we mask those ebuilds or remove them. However, I couldn't verify if later versions than 2.0.45 might be affected. Anybody? regards, Tobias W.
Received an email from Tobias indicating this issue has been resolved. Apparently, Tobias is having some trouble with bugzilla and was unable to post a comment to this bug. Closing as invalid. Tobias -- if I misunderstood your email and this bug shouldn't be resolved, please let me know and/or post a comment here. --kurt
