Summary: | net-www/apache: cross-site-scripting through mod_imap (CVE-2005-3352) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thierry Carrez (RETIRED) <koon> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | apache-bugs, wolf31o2 |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://issues.apache.org/bugzilla/show_bug.cgi?id=37874 | ||
Whiteboard: | A4 [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Thierry Carrez (RETIRED)
2006-01-13 06:04:35 UTC
2.0 backported patch at : http://issues.apache.org/bugzilla/show_bug.cgi?id=37874#c2 This should be grouped with bug 115324 for a common GLSA. Revision bumps to fix this and bug 115324 are now in CVS. Upgrade instructions in the GLSA will need to make clear the following: -- If you are running new-style apache (apache 2.0.54-r30 or above, current stable is 2.0.55 on most archs) you will need to upgrade to apache 2.0.55-r1. If you are running old-style apache (current stable is 2.0.54-r15) you will need to upgrade to apache 2.0.54-r16. It is strongly encouraged to upgrade to new-style apache configuration by following the instructions at http://www.gentoo.org/doc/en/apache-upgrading.xml as old-style configuration will be unsupported (and removed from the tree) after March 1st, 2006. -- Both apache 2.0.54-r16 and 2.0.55-r1 need to be tested and marked stable. Archs please test and mark both apache 2.0.54-r16 and 2.0.55-r1 stable. Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86" ppc stable sparc stable. stable on ppc64 Stable on hppa Stable on amd64. x86 done Stable on alpha + ia64. Ready for glsa vote. (not sure about my vote yet, probably "yes" since my last votes about XSS were "no" - and that wasn't what the majority voted for) Yes, a common one with bug 115324 It seems I overlooked that this also affects apache 1.3. I won't have time to patch it until Sunday - maybe someone else can step up? kloeri? Back to ebuild to get a fixed 1.3 version. Fixes for 1.3 are now in CVS. old-style needs to update to 1.3.34-r2 new-style needs to update to 1.3.34-r11 arches please test+stable 1.3.34-r2 and 1.3.34-r11, thx stable on ppc64 Stable on hppa i get linking errors for both -r2 and -r1 (so it's not related to the patch), could someone else from amd64 please check this out? forgot to mention... sparc stable! :) ppc stable x86 stable. <aja> blubb: http, ssl and imap support all test good. amd64 stable GLSA 200602-03 arm, mips, s390 don't forget to mark stable to benifit from the GLSA. |