Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 118875 - net-www/apache: cross-site-scripting through mod_imap (CVE-2005-3352)
Summary: net-www/apache: cross-site-scripting through mod_imap (CVE-2005-3352)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://issues.apache.org/bugzilla/sho...
Whiteboard: A4 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-13 06:04 UTC by Thierry Carrez (RETIRED)
Modified: 2006-11-11 19:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2006-01-13 06:04:35 UTC
The "mod_imap" module (which provides support for image maps) did not
properly escape the "referer" URL which rendered it vulnerable against
a cross-site scripting attack. A malicious web page (or HTML email)
could trick a user into visiting a site running the vulnerable mod_imap,
and employ cross-site-scripting techniques to gather sensitive user
information from that site. (CVE-2005-3352)
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2006-01-13 06:07:30 UTC
2.0 backported patch at :
http://issues.apache.org/bugzilla/show_bug.cgi?id=37874#c2

This should be grouped with bug 115324 for a common GLSA.
Comment 2 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2006-01-16 19:00:47 UTC
Revision bumps to fix this and bug 115324 are now in CVS.

Upgrade instructions in the GLSA will need to make clear the following:

--
If you are running new-style apache (apache 2.0.54-r30 or above, current stable is 2.0.55 on most archs) you will need to upgrade to apache 2.0.55-r1.

If you are running old-style apache (current stable is 2.0.54-r15) you will need to upgrade to apache 2.0.54-r16. It is strongly encouraged to upgrade to new-style apache configuration by following the instructions at http://www.gentoo.org/doc/en/apache-upgrading.xml as old-style configuration will be unsupported (and removed from the tree) after March 1st, 2006.
--

Both apache 2.0.54-r16 and 2.0.55-r1 need to be tested and marked stable.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2006-01-18 06:31:34 UTC
Archs please test and mark both apache 2.0.54-r16 and 2.0.55-r1 stable.
Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86"
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2006-01-18 09:52:56 UTC
ppc stable
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2006-01-18 10:12:29 UTC
sparc stable.
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2006-01-18 11:49:22 UTC
stable on ppc64
Comment 7 René Nussbaumer (RETIRED) gentoo-dev 2006-01-18 14:26:09 UTC
Stable on hppa
Comment 8 Marcus D. Hanwell (RETIRED) gentoo-dev 2006-01-18 16:07:02 UTC
Stable on amd64.
Comment 9 Mark Loeser (RETIRED) gentoo-dev 2006-01-18 17:11:28 UTC
x86 done
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2006-01-19 00:45:02 UTC
Stable on alpha + ia64.
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-22 15:41:00 UTC
Ready for glsa vote. (not sure about my vote yet, probably "yes" since my last votes about XSS were "no" - and that wasn't what the majority voted for)
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2006-01-23 00:55:22 UTC
Yes, a common one with bug 115324
Comment 13 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2006-01-27 17:41:04 UTC
It seems I overlooked that this also affects apache 1.3. I won't have time to patch it until Sunday - maybe someone else can step up? kloeri?
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2006-01-27 23:01:54 UTC
Back to ebuild to get a fixed 1.3 version.
Comment 15 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2006-01-31 17:50:34 UTC
Fixes for 1.3 are now in CVS.

old-style needs to update to 1.3.34-r2
new-style needs to update to 1.3.34-r11

Comment 16 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-31 18:30:23 UTC
arches please test+stable 1.3.34-r2 and 1.3.34-r11, thx
Comment 17 Markus Rothe (RETIRED) gentoo-dev 2006-01-31 22:22:29 UTC
stable on ppc64
Comment 18 René Nussbaumer (RETIRED) gentoo-dev 2006-02-01 01:38:14 UTC
Stable on hppa
Comment 19 Simon Stelling (RETIRED) gentoo-dev 2006-02-01 02:28:25 UTC
i get linking errors for both -r2 and -r1 (so it's not related to the patch), could someone else from amd64 please check this out?
Comment 20 Gustavo Zacarias (RETIRED) gentoo-dev 2006-02-01 05:26:59 UTC
forgot to mention... sparc stable! :)
Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev 2006-02-01 08:55:59 UTC
ppc stable
Comment 22 Bryan Østergaard (RETIRED) gentoo-dev 2006-02-01 11:20:27 UTC
x86 stable.
Comment 23 Simon Stelling (RETIRED) gentoo-dev 2006-02-05 16:23:06 UTC
<aja> blubb: http, ssl and imap support all test good.

amd64 stable
Comment 24 Sune Kloppenborg Jeppesen gentoo-dev 2006-02-06 10:24:32 UTC
GLSA 200602-03

arm, mips, s390 don't forget to mark stable to benifit from the GLSA.