Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 209899 (CVE-2008-0455) - www-servers/apache mod_negotiation XSS and CRLF injection (CVE-2008-{0455,0456})
Summary: www-servers/apache mod_negotiation XSS and CRLF injection (CVE-2008-{0455,0456})
Status: RESOLVED FIXED
Alias: CVE-2008-0455
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://www.mindedsecurity.com/MSA0115...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-12 18:54 UTC by Robert Buchholz (RETIRED)
Modified: 2008-03-11 21:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 18:54:08 UTC
CVE-2008-0455 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0455):
  Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the
  Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier
  in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote
  authenticated users to inject arbitrary web script or HTML by uploading a
  file with a name containing XSS sequences and a file extension, which leads
  to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices"
  HTTP response when the extension is omitted in a request for the file.

CVE-2008-0456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0456):
  CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP
  Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x
  series, and 1.3.39 and earlier in the 1.3.x series allows remote
  authenticated users to inject arbitrary HTTP headers and conduct HTTP
  response splitting attacks by uploading a file with a multi-line name
  containing HTTP header sequences and a file extension, which leads to
  injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices"
  HTTP response when the extension is omitted in a request for the file.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 18:58:35 UTC
Apache herd, is this already fixed in our stable 2.2.8? I could not find any info on that.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2008-02-23 19:45:16 UTC
both CVEs affect <=2.2.6 only, only arm s390 and sh missing, but already requested in bug 205195
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-24 13:29:37 UTC
We're they stable at the time of filing this bug? If that is the case it should be closed as invalid. Otherwise I guess we should proceed to glsa? status.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-02-24 17:54:13 UTC
Our last GLSA marks 2.2.6 as secure, so we can GLSA this together with the other bugs fixed in 2.2.8. A YES for me.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-25 20:10:31 UTC
Voting YES and commented on draft.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-11 21:51:35 UTC
GLSA 200803-19