Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 204408 (CVE-2007-6388)

Summary: www-servers/apache mod_status cross-site scripting (CVE-2007-6388)
Product: Gentoo Security Reporter: Lars Hartmann <lars>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: apache-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=427228
Whiteboard: C4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 204838    
Bug Blocks:    

Description Lars Hartmann 2008-01-05 10:29:33 UTC 
This issue is moderate severity as the status page is not enabled by default,
and the suggested configuration protects the status page by hostname (therefore
limiting the scope of the XSS to sites that have made their status page public
or only against site administrators)

solution:
apply patches: http://marc.info/?l=apache-cvs&m=119892119829161&w=2

Reproducible: Always
Comment 1 Lars Hartmann 2008-01-05 10:30:28 UTC 
maintainers - please provide an updated ebuild
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2008-01-07 23:04:36 UTC 
fixed in 2.2.6-r7, see #204838
Comment 3 Benedikt Böhm (RETIRED) gentoo-dev 2008-01-10 16:19:25 UTC 
this one is ready
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-13 14:09:48 UTC 
I vote NO.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-28 21:51:37 UTC 
voting NO too, and closing.