Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 266035 (CVE-2009-0796) - <www-apache/mod_perl-2.0.4-r1: XSS in Apache2::Status (CVE-2009-0796)
Summary: <www-apache/mod_perl-2.0.4-r1: XSS in Apache2::Status (CVE-2009-0796)
Status: RESOLVED FIXED
Alias: CVE-2009-0796
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://svn.apache.org/viewvc?view=rev...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 276593
Blocks:
  Show dependency tree
 
Reported: 2009-04-13 18:10 UTC by Alex Legler (RETIRED)
Modified: 2009-08-01 12:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Patch from upstream SVN (CVE-2009-0796.patch,1.25 KB, patch)
2009-04-13 18:19 UTC, Alex Legler (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-13 18:10:35 UTC 
CVE-2009-0796 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0796):
  Cross-site scripting (XSS) vulnerability in Status.pm in
  Apache::Status and Apache2::Status in mod_perl1 and mod_perl2 for the
  Apache HTTP Server, when /perl-status is accessible, allows remote
  attackers to inject arbitrary web script or HTML via the URI.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-13 18:19:18 UTC 
Created attachment 188257 [details, diff]
Patch from upstream SVN

Patch for Apache2::Status

(Apache::Status was only a part of mod_perl-1.x which we no longer have)
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2009-07-05 16:43:05 UTC 
fixed in 2.0.4-r1
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-05 16:48:25 UTC 
Ready to vote, I vote NO.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-05 17:13:26 UTC 
Stabling first.

Arches, please test and mark stable
=www-apache/mod_perl-2.0.4-r1
Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 5 Benedikt Böhm (RETIRED) gentoo-dev 2009-07-05 17:17:39 UTC 
(In reply to comment #4)
> Stabling first.
> 
> Arches, please test and mark stable
> =www-apache/mod_perl-2.0.4-r1
> Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"

i had to drop keywords, please see #276593
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-07 18:47:53 UTC 
mod_perl needs Apache-Reload
Apache-Reload needs mod_perl...we are badly stuck.
Comment 7 Benedikt Böhm (RETIRED) gentoo-dev 2009-07-07 20:39:14 UTC 
(In reply to comment #6)
> mod_perl needs Apache-Reload
> Apache-Reload needs mod_perl...we are badly stuck.

i have moved Apache-Reload into mod_perl's PDEPEND, so it should finally work now
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-07 21:43:46 UTC 
x86 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-07 23:02:29 UTC 
Stable for HPPA.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-07-08 14:41:05 UTC 
alpha/ia64/sparc stable
Comment 11 Markus Meier gentoo-dev 2009-07-08 20:29:57 UTC 
amd64 stable
Comment 12 Joe Jezak (RETIRED) gentoo-dev 2009-07-22 14:04:25 UTC 
Marked ppc/ppc64 stable.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-01 12:42:06 UTC 
Ready for vote, I vote NO.
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-01 12:43:12 UTC 
XSS -> No. Closing. Thanks everyone.