Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 202327 (CVE-2007-5000) - www-servers/apache < 2.2.6-r5 mod_imagemap Cross-site scripting (XSS) vulnerability (CVE-2007-5000)
Summary: www-servers/apache < 2.2.6-r5 mod_imagemap Cross-site scripting (XSS) vulnera...
Alias: CVE-2007-5000
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
: 202326 (view as bug list)
Depends on:
Reported: 2007-12-14 21:06 UTC by Lars Hartmann
Modified: 2020-04-04 10:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2007-12-14 21:06:32 UTC
CVE-2007-5000 (
  Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the
  Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2)
  mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows
  remote attackers to inject arbitrary web script or HTML via unspecified
Comment 1 Lars Hartmann 2007-12-14 21:28:28 UTC
maintainers - please advice
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2007-12-14 21:49:21 UTC
*** Bug 202326 has been marked as a duplicate of this bug. ***
Comment 3 Benedikt Böhm (RETIRED) gentoo-dev 2007-12-14 22:01:03 UTC
mod_imap/mod_imagemap is not installed by default, but can be enabled via
/etc/apache2/apache2-builtin-mods (<2.2.6-r4) or APACHE2_MODULES (>=2.2.6-r4)

i'm not sure what the security policy is here, but i assume very little usage
of mod_imap/mod_imagemap

nevertheless, i will provide a fix for 2.2 asap
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-12-14 22:06:33 UTC
It is installed, but not enabled by default, you mean?

Policy is to treat common packages (which Apache is) as "A" in default configurations, "B" otherwise. That means, we still need to fix this, it only decreases priority (target delay is 20 days) and chances of getting a GLSA.
Comment 5 Benedikt Böhm (RETIRED) gentoo-dev 2007-12-14 22:09:26 UTC
yes, that's what i meant ...
Comment 6 Benedikt Böhm (RETIRED) gentoo-dev 2007-12-14 22:37:36 UTC
apache-2.2.6-r5 in cvs, ready for stabilization, 2.0 support ends before the target delay, no fixes.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-12-14 22:43:56 UTC
That's your call.

Arches, please test and mark stable www-servers/apache-2.2.6-r5.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"
Comment 8 Benedikt Böhm (RETIRED) gentoo-dev 2007-12-14 22:56:43 UTC
even if it does not really belong here, i especially ask arm, mips, s390 and sh to stabilize too ASAP, 2.0 support ends on 31-12-2007 and will leave those archs with no stable apache.
Comment 9 Benedikt Böhm (RETIRED) gentoo-dev 2007-12-15 14:35:39 UTC
FYI, this is also fixed in 2.2.6-r6 now (the first unmasked USE_EXPAND version, do not stabilize!)
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-15 17:57:27 UTC
Stable for HPPA.
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-15 20:03:16 UTC
ppc stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-12-16 12:41:04 UTC
alpha/ia64/sparc/x86 stable
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2007-12-16 17:14:05 UTC
ppc64 stable
Comment 14 Peter Weller (RETIRED) gentoo-dev 2007-12-16 17:37:17 UTC
amd64 done.
Comment 15 Lars Hartmann 2007-12-17 10:56:00 UTC
This one here is ready for glsa decision
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-01-05 03:24:13 UTC
Voting NO.
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-05 21:47:45 UTC
no too, and closing without glsa.
Comment 18 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:58:47 UTC
Does not affect current (2008.0) release. Removing release.