Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 204408 (CVE-2007-6388) - www-servers/apache mod_status cross-site scripting (CVE-2007-6388)
Summary: www-servers/apache mod_status cross-site scripting (CVE-2007-6388)
Status: RESOLVED FIXED
Alias: CVE-2007-6388
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: C4 [noglsa]
Keywords:
Depends on: 204838
Blocks:
  Show dependency tree
 
Reported: 2008-01-05 10:29 UTC by Lars Hartmann
Modified: 2008-01-28 21:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2008-01-05 10:29:33 UTC
This issue is moderate severity as the status page is not enabled by default,
and the suggested configuration protects the status page by hostname (therefore
limiting the scope of the XSS to sites that have made their status page public
or only against site administrators)

solution:
apply patches: http://marc.info/?l=apache-cvs&m=119892119829161&w=2

Reproducible: Always
Comment 1 Lars Hartmann 2008-01-05 10:30:28 UTC
maintainers - please provide an updated ebuild
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2008-01-07 23:04:36 UTC
fixed in 2.2.6-r7, see #204838
Comment 3 Benedikt Böhm (RETIRED) gentoo-dev 2008-01-10 16:19:25 UTC
this one is ready
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-13 14:09:48 UTC
I vote NO.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-28 21:51:37 UTC
voting NO too, and closing.