266035 – (CVE-2009-0796) <www-apache/mod_perl-2.0.4-r1: XSS in Apache2::Status (CVE-2009-0796)

Bug 266035 (CVE-2009-0796) - <www-apache/mod_perl-2.0.4-r1: XSS in Apache2::Status (CVE-2009-0796)

Summary: <www-apache/mod_perl-2.0.4-r1: XSS in Apache2::Status (CVE-2009-0796)

Status:	RESOLVED FIXED

Alias:	CVE-2009-0796

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:	http://svn.apache.org/viewvc?view=rev...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	276593
Blocks:
	Show dependency tree

Reported:	2009-04-13 18:10 UTC by Alex Legler (RETIRED)
Modified:	2009-08-01 12:43 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch from upstream SVN (CVE-2009-0796.patch,1.25 KB, patch) 2009-04-13 18:19 UTC, Alex Legler (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2009-04-13 18:10:35 UTC

CVE-2009-0796 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0796):
  Cross-site scripting (XSS) vulnerability in Status.pm in
  Apache::Status and Apache2::Status in mod_perl1 and mod_perl2 for the
  Apache HTTP Server, when /perl-status is accessible, allows remote
  attackers to inject arbitrary web script or HTML via the URI.

Comment 1 Alex Legler (RETIRED) archtester

2009-04-13 18:19:18 UTC

Created attachment 188257 [details, diff]
Patch from upstream SVN

Patch for Apache2::Status

(Apache::Status was only a part of mod_perl-1.x which we no longer have)

Comment 2 Benedikt Böhm (RETIRED) gentoo-dev

2009-07-05 16:43:05 UTC

fixed in 2.0.4-r1

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2009-07-05 16:48:25 UTC

Ready to vote, I vote NO.

Comment 4 Alex Legler (RETIRED) archtester

2009-07-05 17:13:26 UTC

Stabling first.

Arches, please test and mark stable
=www-apache/mod_perl-2.0.4-r1
Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"

Comment 5 Benedikt Böhm (RETIRED) gentoo-dev

2009-07-05 17:17:39 UTC

(In reply to comment #4)
> Stabling first.
> 
> Arches, please test and mark stable
> =www-apache/mod_perl-2.0.4-r1
> Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"

i had to drop keywords, please see #276593

Comment 6 Christian Faulhammer (RETIRED) gentoo-dev

2009-07-07 18:47:53 UTC

mod_perl needs Apache-Reload
Apache-Reload needs mod_perl...we are badly stuck.

Comment 7 Benedikt Böhm (RETIRED) gentoo-dev

2009-07-07 20:39:14 UTC

(In reply to comment #6)
> mod_perl needs Apache-Reload
> Apache-Reload needs mod_perl...we are badly stuck.

i have moved Apache-Reload into mod_perl's PDEPEND, so it should finally work now

Comment 8 Christian Faulhammer (RETIRED) gentoo-dev

2009-07-07 21:43:46 UTC

x86 stable

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2009-07-07 23:02:29 UTC

Stable for HPPA.

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2009-07-08 14:41:05 UTC

alpha/ia64/sparc stable

Comment 11 Markus Meier gentoo-dev

2009-07-08 20:29:57 UTC

amd64 stable

Comment 12 Joe Jezak (RETIRED) gentoo-dev

2009-07-22 14:04:25 UTC

Marked ppc/ppc64 stable.

Comment 13 Tobias Heinlein (RETIRED) gentoo-dev

2009-08-01 12:42:06 UTC

Ready for vote, I vote NO.

Comment 14 Alex Legler (RETIRED) archtester

2009-08-01 12:43:12 UTC

XSS -> No. Closing. Thanks everyone.