CVE-2007-5000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5000): Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
maintainers - please advice
*** Bug 202326 has been marked as a duplicate of this bug. ***
mod_imap/mod_imagemap is not installed by default, but can be enabled via /etc/apache2/apache2-builtin-mods (<2.2.6-r4) or APACHE2_MODULES (>=2.2.6-r4) i'm not sure what the security policy is here, but i assume very little usage of mod_imap/mod_imagemap nevertheless, i will provide a fix for 2.2 asap
It is installed, but not enabled by default, you mean? Policy is to treat common packages (which Apache is) as "A" in default configurations, "B" otherwise. That means, we still need to fix this, it only decreases priority (target delay is 20 days) and chances of getting a GLSA.
yes, that's what i meant ...
apache-2.2.6-r5 in cvs, ready for stabilization, 2.0 support ends before the target delay, no fixes.
That's your call. Arches, please test and mark stable www-servers/apache-2.2.6-r5. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"
even if it does not really belong here, i especially ask arm, mips, s390 and sh to stabilize too ASAP, 2.0 support ends on 31-12-2007 and will leave those archs with no stable apache.
FYI, this is also fixed in 2.2.6-r6 now (the first unmasked USE_EXPAND version, do not stabilize!)
Stable for HPPA.
ppc stable
alpha/ia64/sparc/x86 stable
ppc64 stable
amd64 done.
This one here is ready for glsa decision
Voting NO.
no too, and closing without glsa.
Does not affect current (2008.0) release. Removing release.