234088 – (CVE-2008-2939) www-servers/apache < 2.2.9-r1 xss in mod_proxy_ftp (CVE-2008-2939)

Bug 234088 (CVE-2008-2939) - www-servers/apache < 2.2.9-r1 xss in mod_proxy_ftp (CVE-2008-2939)

Summary: www-servers/apache < 2.2.9-r1 xss in mod_proxy_ftp (CVE-2008-2939)

Status:	RESOLVED FIXED

Alias:	CVE-2008-2939

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://svn.apache.org/viewvc?view=rev...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-08-06 13:59 UTC by Hanno Böck
Modified:	2020-04-09 19:04 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2008-08-06 13:59:10 UTC

see subject, will probably not get a new apache release.

Patch:
http://svn.apache.org/viewvc?view=rev&revision=682870

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-08-15 10:46:28 UTC

CVE-2008-2939 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2939):
  Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp
  module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp
  module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to
  inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI.

Comment 2 Benedikt Böhm (RETIRED) gentoo-dev

2008-08-29 13:31:06 UTC

2.2.9-r1 in cvs

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-08-30 12:52:04 UTC

Arches, please test and mark stable:
=www-servers/apache-2.2.9-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 4 Markus Meier gentoo-dev

2008-08-30 15:21:05 UTC

amd64/x86 stable

Comment 5 Friedrich Oslage (RETIRED) gentoo-dev

2008-08-30 15:24:58 UTC

sparc stable

Comment 6 Raúl Porcel (RETIRED) gentoo-dev

2008-08-30 16:53:03 UTC

alpha/ia64 stable

Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev

2008-08-31 15:53:09 UTC

ppc stable

Comment 8 Markus Rothe (RETIRED) gentoo-dev

2008-09-01 06:49:39 UTC

ppc64 stable

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2008-09-03 21:33:20 UTC

Stable for HPPA.

Comment 10 Robert Buchholz (RETIRED) gentoo-dev

2008-09-14 11:31:53 UTC

it's a vote. I vote NO.

Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-09-14 17:19:38 UTC

no too, and closing.