Bug 355888 - VUL-0: Apache update contains several security fixes
VUL-0: Apache update contains several security fixes
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE 10.3
Classification: openSUSE
Component: Apache
Final
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
CVE-2008-0005: CVSS v2 Base Score: 4....
:
Depends on: 346451 352235 353261 353262 353859 355540
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-24 10:43 UTC by Sonja Krause-Harder
Modified: 2019-05-01 14:47 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Sonja Krause-Harder 2008-03-25 17:03:13 UTC
Submitted packages (once all mbuilds have finished):

apache / sles9:
-------------------------------------------------------------------
Tue Mar 25 15:38:36 CET 2008 - skh@suse.de

- Security fix: CVE-2006-3918: src/main/http_protocol.c: Escape
  Expect header error message correctly to fix possible
  cross-site scripting flaw [related to bnc #346451]

- Security fix: CVE-2007-5000: src/modules/standard/mod_imap.c
  (menu_header): Fix cross-site scripting issue by escaping the
  URI, and ensure that a charset parameter is sent in the
  content-type to prevent autodetection by broken browsers.
  Reported by: JPCERT[bnc #353859]

- Security fix: CVE-2007-6388: mod_status: Ensure refresh parameter
  is numeric to prevent a possible XSS attack caused by redirecting
  to other URLs. Reported by SecurityReason. [bnc #352235]

- Security fix: CVE-2008-0005: src/modules/proxy/proxy_ftp.c:
  Add explicit charset to the dirlisting output to work around
  possible cross-site scripting flaws affecting web browsers
  that do not derive the response character set as required
  by RFC2616. Reported by SecurityReason [Joe Orton] [bnc #353262]

- apache2-utils: Add Requires: ed [bnc #363611]

apache2 / sles9:
-------------------------------------------------------------------
Tue Mar 25 16:05:57 CET 2008 - skh@suse.de

- bnc #353859 / CVE-2007-5000: modules/mappers/mod_imap.c
  (menu_header): Fix cross-site-scripting issue by escaping the URI,
  and ensure that a charset parameter is sent in the content-type to
  prevent autodetection by broken browsers. Reported by: JPCERT

- bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape
  request method in 413 error reporting. Determined to be not
  generally exploitable, but a flaw in any case.

- bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter
  is numeric to prevent a possible XSS attack caused by redirecting
  to other URLs. Reported by SecurityReason.

- bnc #353262 / CVE-2008-0005: Add explicit charset to the output
  of various modules to work around possible cross-site scripting
  flaws affecting web browsers that do not derive the response
  character set as required by RFC2616. One of these reported by
  SecurityReason.

apache2 / sles10/10.1, 10.2:
-------------------------------------------------------------------
Tue Mar 25 16:30:34 CET 2008 - skh@suse.de

- bnc #353859 / CVE-2007-5000: modules/mappers/mod_imagemap.c
  (menu_header): Fix cross-site-scripting issue by escaping the URI,
  and ensure that a charset parameter is sent in the content-type to
  prevent autodetection by broken browsers.

- bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape
  request method in 413 error reporting. Determined to be not
  generally exploitable, but a flaw in any case.

- bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter
  is numeric to prevent a possible XSS attack caused by redirecting
  to other URLs. Reported by SecurityReason.

- bnc #353261 / CVE-2007-6421: mod_proxy_balancer: Correctly escape
  the worker route and the worker redirect string in the HTML output
  of the balancer manager.  Reported by SecurityReason.

- bnc #353261 / CVE-2007-6422: Prevent crash in balancer manager if
  invalid balancer name is passed as parameter. Reported by
  SecurityReason.

- bnc #353262 / CVE-2008-0005: Add explicit charset to the output of
  various modules to work around possible cross-site scripting flaws
  affecting web browsers that do not derive the response character
  set as required by RFC2616.  One of these reported by
  SecurityReason

- Add Requires: ed [bnc #363611]

apache2 / 10.3
-------------------------------------------------------------------
Tue Mar 25 16:45:01 CET 2008 - skh@suse.de

- bnc #353859 / CVE-2007-5000: modules/mappers/mod_imagemap.c
  (menu_header): Fix cross-site-scripting issue by escaping the URI,
  and ensure that a charset parameter is sent in the content-type to
  prevent autodetection by broken browsers.

- bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape
  request method in 413 error reporting. Determined to be not
  generally exploitable, but a flaw in any case.

- bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter
  is numeric to prevent a possible XSS attack caused by redirecting
  to other URLs. Reported by SecurityReason.

- bnc #353261 / CVE-2007-6421: mod_proxy_balancer: Correctly escape
  the worker route and the worker redirect string in the HTML output
  of the balancer manager.  Reported by SecurityReason.

- bnc #353261 / CVE-2007-6422: Prevent crash in balancer manager if
  invalid balancer name is passed as parameter. Reported by
  SecurityReason.

- bnc #353262 / CVE-2008-0005: Add explicit charset to the output of
  various modules to work around possible cross-site scripting flaws
  affecting web browsers that do not derive the response character
  set as required by RFC2616.  One of these reported by
  SecurityReason

- apache2-utils: Add Requires: ed [bnc #363611]
Comment 3 Ludwig Nussel 2008-03-26 08:36:48 UTC
MaintenanceTracker-16882
Comment 4 Ludwig Nussel 2008-04-03 09:01:06 UTC
updates released
Comment 5 Thomas Biege 2009-10-14 01:08:51 UTC
CVE-2008-0005: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)