Not sure we're affected by these ones either. CVE-2006-5752 Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified. CVE-2007-1863 Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified.
moderate: mod_status cross-site scripting CVE-2006-5752 Affects: 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 Fixed in Apache httpd 2.0.61-dev patched in apache-2.2.4-r12 or earlier moderate: mod_cache proxy DoS CVE-2007-1863 Affects: 2.2.4, 2.2.3, 2.2.2, 2.2.0 Fixed in Apache httpd 2.2.6-dev patched in apache-2.2.4-r12 or earlier didn't check the 2.0.x branch. however apache-2.2.4-r12 need a patch for moderate: mod_proxy crash CVE-2007-3847 A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module. http://httpd.apache.org/security/vulnerabilities_22.html
there's also bug 191603, and I have to admit I'm a bit lost with all this issues and versions. Apache, please advise on what needs to be done to fix this, and maybe close the other bug if it's not necessary.
all CVEs have been backported to 2.0.59-r5/2.2.4-r12, except 2007-3847 is missing in 2.2.4-r12, but fixed with 2.2.6, which is now in cvs, see also #187258
*** Bug 191603 has been marked as a duplicate of this bug. ***
ok thanks for the info. So in the end, how do you want to proceed with stabilization? In any case seems that we'll have to call arches for 2.2.6 as a fix is missing with 2.2.4-r12, but should we call all arches for 2.0.61 or just the ones that don't have 2.0.59-r5? please advise.
2.0.59-r5 is ok, but 2.2.6 should be stabilized asap for CVE-2007-3847
ok. Arches, please test and mark stable net-www/apache-2.0.59-r5 and net-www/apache-2.2.6. Target keywordsare "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
(In reply to comment #7) > ok. > Arches, please test and mark stable > net-www/apache-2.0.59-r5 and net-www/apache-2.2.6. > Target keywordsare "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 > ~x86-fbsd" > That's www-servers/apache-2.0.59-r5 and www-servers/apache-2.2.6
Don't forget to mark app-admin/apache-tools-2.2.6 stable as well. All stable for HPPA.
*** Bug 187258 has been marked as a duplicate of this bug. ***
x86 stable
apache-2.0.59-r5, apache-2.2.6 and apache-tools-2.2.6 all emerged fine here on my sparc64. Got the following notice for apache-2.0.59-r5: dodoc: etc/apache2/*-std.conf does not exist and the following notices for apache-2.2.6: install: cannot stat `/var/tmp/portage/www-servers/apache-2.2.6/work/gentoo-apache-2.2.6/scripts/apache2logserverstatus': No such file or directory install: cannot stat `/var/tmp/portage/www-servers/apache-2.2.6/work/gentoo-apache-2.2.6/scripts/apache2splitlogfile': No such file or directory Tested with: www-servers/apache-2.0.59-r5 (apache2 mpm-prefork ssl) www-servers/apache-2.0.59-r5 (apache2 mpm-worker ssl) www-servers/apache-2.0.59-r5 (apache2 mpm-leader static-modules threads) app-admin/apache-tools-2.2.6 www-servers/apache-2.2.6 (mpm-prefork ssl) app-admin/apache-tools-2.2.6 (ssl) www-servers/apache-2.2.6 (mpm-worker ssl) app-admin/apache-tools-2.2.6 (ssl) www-servers/apache-2.2.6 (static-modules threads)
Created attachment 130411 [details] sparc64 emerge --info
alpha/ia64 stable
ppc64 stable
--- amd64 --- www-servers/apache-2.2.6 - USE: -debug -doc -ldap -mpm-event -mpm-itk -mpm-peruser -mpm-prefork -mpm-worker -no-suexec -selinux ssl -static-modules threads app-admin/apache-tools-2.2.6 - USE: ssl 1: emerges 2: passes collision-protect, (multilib-)strict, test 3: works (*) basic static web pages, php support tested * app-admin/apache-tools-2.2.6 - log_server_status gives Can't locate sys/socket.ph in @INC (did you run h2ph?) (@INC contains: /etc/perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux /usr/lib64/perl5/vendor_perl/5.8.8 /usr/lib64/perl5/vendor_perl /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux /usr/lib64/perl5/site_perl/5.8.8 /usr/lib64/perl5/site_perl /usr/lib64/perl5/5.8.8/x86_64-linux /usr/lib64/perl5/5.8.8 /usr/local/lib/site_perl .) at /usr/sbin/log_server_status line 28. Portage 2.1.2.12 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r6 x86_64) ================================================================= System uname: 2.6.22-gentoo-r6 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ Gentoo Base System release 1.12.9 Timestamp of tree: Unknown ccache version 2.4 [enabled] app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -ggdb -march=athlon64 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/gentoo-release /etc/init.d /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -ggdb -march=athlon64 -pipe" DISTDIR="/tmp/portage" FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms splitdebug strict test" GENTOO_MIRRORS="http://ds.thn.htu.se/linux/gentoo http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://mirror.switch.ch/mirror/gentoo/ http://trumpetti.atm.tut.fi/gentoo/" LANG="en_US.utf-8" LINGUAS="en sv" MAKEOPTS="-j3" PKGDIR="/tmp/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/private" SYNC="rsync://dx/gentoo-portage" USE="3dnow 3dnowext X a52 aac acpi aiglx alsa amd64 apache2 arts asf avi bash-completion berkdb bitmap-fonts branding browserplugin cairo ccache cdr cli cpudetection cracklib crypt cscope css cups cvs dbus divx divx4linux dlloader dri dvd dvdr dvdread eds emboss encode esd evo fam ffmpeg firefox flac foomaticdb fortran freetype gdbm geoip gif gimp gmedia gnokii gnome gpm gstreamer gtk hal http iconv ieee1394 imap imlib ipv6 isdnlog java javascript jfs jpeg kde kdeenablefinal kdehiddenvisibility kdepim kerberos logitech-mouse mad madwifi maildir midi mikmod mmx mmx2 mmxext mono mozbranding moznopango mozsvg mp3 mpeg mplayer msn mudflap mysql ncurses nls nptl nptlonly nsplugin ntfs nvidia obex ogg oggvorbis opengl openmp oss pam pcre pdf pdflib perl png pppd python qt qt3 qt3support qt4 quicktime readline realmedia reflection reiserfs samba scanner sdl session spell spl sse sse2 ssl subversion svg symlink tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts udev unicode usb v4l v4l2 vim-syntax vim-with-x visualization vorbis wifi wmf wmp wxwindows xcomposite xface xfs xine xinerama xml xorg xosd xpm xprint xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en sv" USERLAND="GNU" VIDEO_CARDS="nv nvidia" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
ppc stable
amd64 done... now to upgrade all my web servers... :P
Created attachment 130782 [details] sparc64-emerge-info emerge --info after updating system to gcc-4.1.2
Tested apache with the above use flags again after updating to gcc-4.1.2 got the same results.
2.2.6 also fixes an XSS in mod_autoindex.c: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
sparc stable, thanks Jorge Manuel. This is ready to go
A3 => no vote here :p glsa request filed.
Correcting CVE in title.
finally closing with GLSA 200711-06,sorry for the delay :/
