Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 46292

Summary: apache-esc-seq-injection, Apache 1.3.27, Apache 2.0.45 and earlier, as well as possibly later versions
Product: Gentoo Security Reporter: Tobias Weisserth <tobias>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: zul
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
Whiteboard:
Package list:
Runtime testing required: ---

Description Tobias Weisserth 2004-03-30 13:52:37 UTC 
Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020

Reproducible: Always
Steps to Reproduce:




Only the remaining 1.3.27 ebuilds of Apache seem to be affected, but I couldn't
find any reference whether this has already been fixed in those older ebuilds
(no GLSA or bugs in Bugzilla). I filed this bug since older versions are not
masked but could be affected and there are probably a dozen reasons for some
users to use an older version for a specific reason (for example a specific
plugin, like OpenGroupware). I suggest we mask those ebuilds or remove them.

However, I couldn't verify if later versions than 2.0.45 might be affected. Anybody?

regards,
Tobias W.
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 23:31:26 UTC 
Received an email from Tobias indicating this issue has been resolved.  Apparently, Tobias is having some trouble with bugzilla and was unable to post a comment to this bug.  

Closing as invalid.  Tobias -- if I misunderstood your email and this bug shouldn't be resolved, please let me know and/or post a comment here.

--kurt