Summary: | <www-servers/apache-{2.2.24,2.4.4}: Multiple Cross-Site Scripting Vulnerabilities (CVE-2012-{3499,4558}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | bkohler, mail, pacho, patrick |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/52394/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 438680 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-02-26 09:40:43 UTC
+ 27 Feb 2013; Patrick Lauer <patrick@gentoo.org> +apache-2.4.4.ebuild: + Bump for #459264 #438758 Ebuilds are there, stabilization should be: =app-admin/apache-tools-2.4.4 =www-servers/apache-2.4.4 (In reply to comment #1) > + 27 Feb 2013; Patrick Lauer <patrick@gentoo.org> +apache-2.4.4.ebuild: > + Bump for #459264 #438758 > > Ebuilds are there, stabilization should be: > > =app-admin/apache-tools-2.4.4 > =www-servers/apache-2.4.4 Thanks, Patrick. Arches, please test them and mark stable. amd64 stable x86 stable Stable for HPPA. Previous stable www-servers/apache-2.2.24 isn't affected by these vulnerabilities, why did 2.4.4 need to be stabilized? ppc done CVE-2012-4558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4558): Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string. CVE-2012-3499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3499): Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. security: please lower this stablereq to 2.2.24. 2.2.24 is NOT vulnerable per the CVEs. https://www.apache.org/dist/httpd/CHANGES_2.2.24 2.4 is a major upgrade, suddenly going stable is not cool. Arches should drop 2.4 back to ~arch. https://www.apache.org/dist/httpd/CHANGES_2.2.24 The mentioned CVE's are fixed in 2.2.24 so stabilizing this *major* release which still has a lot of issues was IMHO totally unnecessarily. QA Action: www-servers/apache and app-admin/apache-tools for 2.4 are now ~arch again. Please do not follow instructions blindly like drones next time. (In reply to comment #11) > Please do not follow instructions blindly like drones next time. When the advisory came out, the only fixed version was the 2.4.4. (In reply to comment #11) > QA Action: www-servers/apache and app-admin/apache-tools for 2.4 are now > ~arch again. > > Please do not follow instructions blindly like drones next time. THANK YOU! The 2.4 upgrade should probably get a news item at the very least. I can imagine that more than a few users may have started upgrading as a result of getting this, and now they're likely to be stuck on ~arch until stable catches up. |