Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 459264 (CVE-2012-3499) - <www-servers/apache-{2.2.24,2.4.4}: Multiple Cross-Site Scripting Vulnerabilities (CVE-2012-{3499,4558})
Summary: <www-servers/apache-{2.2.24,2.4.4}: Multiple Cross-Site Scripting Vulnerabili...
Status: RESOLVED FIXED
Alias: CVE-2012-3499
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52394/
Whiteboard: B4 [noglsa]
Keywords:
Depends on: CVE-2012-4929
Blocks:
  Show dependency tree
 
Reported: 2013-02-26 09:40 UTC by Agostino Sarubbo
Modified: 2013-03-06 02:21 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-26 09:40:43 UTC
From ${URL} :

Description
Multiple vulnerabilities have been reported in Apache HTTP Server, which can be exploited by malicious people to conduct cross-site scripting attacks.

1) Certain input related to hostnames and URIs in the mod_info, mod_ldap, mod_status, mod_imagemap, and mod_proxy_ftp modules is not properly sanitised before being 
returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Certain unspecified input passed to the manager interface of the mod_proxy_balancer module is not properly sanitised before being returned to the user. This can be 
exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities have been reported in versions prior to 2.4.4.


Solution
Update to version 2.4.4.

Provided and/or discovered by
The vendor credits:
1) Jim Jagielski, Stefan Fritsch, and Niels Heinen.
2) Jim Jagielski and Niels Heinen.

Original Advisory
http://www.apache.org/dist/httpd/CHANGES_2.4.4
http://www.apache.org/dist/httpd/Announcement2.4.html
Comment 1 Patrick Lauer gentoo-dev 2013-02-27 06:58:03 UTC
+  27 Feb 2013; Patrick Lauer <patrick@gentoo.org> +apache-2.4.4.ebuild:
+  Bump for #459264 #438758

Ebuilds are there, stabilization should be:

=app-admin/apache-tools-2.4.4
=www-servers/apache-2.4.4
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-04 01:32:53 UTC
(In reply to comment #1)
> +  27 Feb 2013; Patrick Lauer <patrick@gentoo.org> +apache-2.4.4.ebuild:
> +  Bump for #459264 #438758
> 
> Ebuilds are there, stabilization should be:
> 
> =app-admin/apache-tools-2.4.4
> =www-servers/apache-2.4.4

Thanks, Patrick.

Arches, please test them and mark stable.
Comment 3 Agostino Sarubbo gentoo-dev 2013-03-04 09:00:28 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-03-04 09:19:42 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-04 13:09:12 UTC
Stable for HPPA.
Comment 6 Ben Kohler gentoo-dev 2013-03-04 15:18:31 UTC
Previous stable www-servers/apache-2.2.24 isn't affected by these vulnerabilities, why did 2.4.4 need to be stabilized?
Comment 7 Brent Baude (RETIRED) gentoo-dev 2013-03-04 18:22:33 UTC
ppc done
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 22:03:41 UTC
CVE-2012-4558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4558):
  Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler
  function in the manager interface in mod_proxy_balancer.c in the
  mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev
  and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script
  or HTML via a crafted string.

CVE-2012-3499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3499):
  Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP
  Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers
  to inject arbitrary web script or HTML via vectors involving hostnames and
  URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp,
  and (5) mod_status modules.
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2013-03-05 09:49:23 UTC
security:
please lower this stablereq to 2.2.24.
2.2.24 is NOT vulnerable per the CVEs.
https://www.apache.org/dist/httpd/CHANGES_2.2.24
2.4 is a major upgrade, suddenly going stable is not cool.
Arches should drop 2.4 back to ~arch.
Comment 10 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2013-03-05 09:51:41 UTC
https://www.apache.org/dist/httpd/CHANGES_2.2.24

The mentioned CVE's are fixed in 2.2.24 so stabilizing this *major* release which still has a lot of issues was IMHO totally unnecessarily.
Comment 11 Diego Elio Pettenò (RETIRED) gentoo-dev 2013-03-05 09:54:00 UTC
QA Action: www-servers/apache and app-admin/apache-tools for 2.4 are now ~arch again.

Please do not follow instructions blindly like drones next time.
Comment 12 Agostino Sarubbo gentoo-dev 2013-03-05 10:28:47 UTC
(In reply to comment #11)
> Please do not follow instructions blindly like drones next time.

When the advisory came out, the only fixed version was the 2.4.4.
Comment 13 Richard Freeman gentoo-dev 2013-03-06 02:21:29 UTC
(In reply to comment #11)
> QA Action: www-servers/apache and app-admin/apache-tools for 2.4 are now
> ~arch again.
> 
> Please do not follow instructions blindly like drones next time.

THANK YOU!

The 2.4 upgrade should probably get a news item at the very least.  I can imagine that more than a few users may have started upgrading as a result of getting this, and now they're likely to be stuck on ~arch until stable catches up.