Summary: | www-servers/apache < 2.2.6-r5 mod_imagemap Cross-site scripting (XSS) vulnerability (CVE-2007-5000) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Lars Hartmann <lars> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | apache-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://httpd.apache.org/security/vulnerabilities_22.html | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Lars Hartmann
2007-12-14 21:06:32 UTC
maintainers - please advice *** Bug 202326 has been marked as a duplicate of this bug. *** mod_imap/mod_imagemap is not installed by default, but can be enabled via /etc/apache2/apache2-builtin-mods (<2.2.6-r4) or APACHE2_MODULES (>=2.2.6-r4) i'm not sure what the security policy is here, but i assume very little usage of mod_imap/mod_imagemap nevertheless, i will provide a fix for 2.2 asap It is installed, but not enabled by default, you mean? Policy is to treat common packages (which Apache is) as "A" in default configurations, "B" otherwise. That means, we still need to fix this, it only decreases priority (target delay is 20 days) and chances of getting a GLSA. yes, that's what i meant ... apache-2.2.6-r5 in cvs, ready for stabilization, 2.0 support ends before the target delay, no fixes. That's your call. Arches, please test and mark stable www-servers/apache-2.2.6-r5. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86" even if it does not really belong here, i especially ask arm, mips, s390 and sh to stabilize too ASAP, 2.0 support ends on 31-12-2007 and will leave those archs with no stable apache. FYI, this is also fixed in 2.2.6-r6 now (the first unmasked USE_EXPAND version, do not stabilize!) Stable for HPPA. ppc stable alpha/ia64/sparc/x86 stable ppc64 stable amd64 done. This one here is ready for glsa decision Voting NO. no too, and closing without glsa. Does not affect current (2008.0) release. Removing release. |