The "mod_imap" module (which provides support for image maps) did not
properly escape the "referer" URL which rendered it vulnerable against
a cross-site scripting attack. A malicious web page (or HTML email)
could trick a user into visiting a site running the vulnerable mod_imap,
and employ cross-site-scripting techniques to gather sensitive user
information from that site. (CVE-2005-3352)
2.0 backported patch at :
This should be grouped with bug 115324 for a common GLSA.
Revision bumps to fix this and bug 115324 are now in CVS.
Upgrade instructions in the GLSA will need to make clear the following:
If you are running new-style apache (apache 2.0.54-r30 or above, current stable is 2.0.55 on most archs) you will need to upgrade to apache 2.0.55-r1.
If you are running old-style apache (current stable is 2.0.54-r15) you will need to upgrade to apache 2.0.54-r16. It is strongly encouraged to upgrade to new-style apache configuration by following the instructions at http://www.gentoo.org/doc/en/apache-upgrading.xml as old-style configuration will be unsupported (and removed from the tree) after March 1st, 2006.
Both apache 2.0.54-r16 and 2.0.55-r1 need to be tested and marked stable.
Archs please test and mark both apache 2.0.54-r16 and 2.0.55-r1 stable.
Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86"
stable on ppc64
Stable on hppa
Stable on amd64.
Stable on alpha + ia64.
Ready for glsa vote. (not sure about my vote yet, probably "yes" since my last votes about XSS were "no" - and that wasn't what the majority voted for)
Yes, a common one with bug 115324
It seems I overlooked that this also affects apache 1.3. I won't have time to patch it until Sunday - maybe someone else can step up? kloeri?
Back to ebuild to get a fixed 1.3 version.
Fixes for 1.3 are now in CVS.
old-style needs to update to 1.3.34-r2
new-style needs to update to 1.3.34-r11
arches please test+stable 1.3.34-r2 and 1.3.34-r11, thx
i get linking errors for both -r2 and -r1 (so it's not related to the patch), could someone else from amd64 please check this out?
forgot to mention... sparc stable! :)
<aja> blubb: http, ssl and imap support all test good.
arm, mips, s390 don't forget to mark stable to benifit from the GLSA.