Bugzilla – Bug 355888
VUL-0: Apache update contains several security fixes
Last modified: 2019-05-01 14:47:19 UTC
Another round of updates, another tracking bug. http://www.apache.org/dist/httpd/CHANGES_2.2.8 http://www.apache.org/dist/httpd/CHANGES_2.0.63 http://www.apache.org/dist/httpd/CHANGES_1.3.41
Submitted packages (once all mbuilds have finished): apache / sles9: ------------------------------------------------------------------- Tue Mar 25 15:38:36 CET 2008 - skh@suse.de - Security fix: CVE-2006-3918: src/main/http_protocol.c: Escape Expect header error message correctly to fix possible cross-site scripting flaw [related to bnc #346451] - Security fix: CVE-2007-5000: src/modules/standard/mod_imap.c (menu_header): Fix cross-site scripting issue by escaping the URI, and ensure that a charset parameter is sent in the content-type to prevent autodetection by broken browsers. Reported by: JPCERT[bnc #353859] - Security fix: CVE-2007-6388: mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. [bnc #352235] - Security fix: CVE-2008-0005: src/modules/proxy/proxy_ftp.c: Add explicit charset to the dirlisting output to work around possible cross-site scripting flaws affecting web browsers that do not derive the response character set as required by RFC2616. Reported by SecurityReason [Joe Orton] [bnc #353262] - apache2-utils: Add Requires: ed [bnc #363611] apache2 / sles9: ------------------------------------------------------------------- Tue Mar 25 16:05:57 CET 2008 - skh@suse.de - bnc #353859 / CVE-2007-5000: modules/mappers/mod_imap.c (menu_header): Fix cross-site-scripting issue by escaping the URI, and ensure that a charset parameter is sent in the content-type to prevent autodetection by broken browsers. Reported by: JPCERT - bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape request method in 413 error reporting. Determined to be not generally exploitable, but a flaw in any case. - bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. - bnc #353262 / CVE-2008-0005: Add explicit charset to the output of various modules to work around possible cross-site scripting flaws affecting web browsers that do not derive the response character set as required by RFC2616. One of these reported by SecurityReason. apache2 / sles10/10.1, 10.2: ------------------------------------------------------------------- Tue Mar 25 16:30:34 CET 2008 - skh@suse.de - bnc #353859 / CVE-2007-5000: modules/mappers/mod_imagemap.c (menu_header): Fix cross-site-scripting issue by escaping the URI, and ensure that a charset parameter is sent in the content-type to prevent autodetection by broken browsers. - bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape request method in 413 error reporting. Determined to be not generally exploitable, but a flaw in any case. - bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. - bnc #353261 / CVE-2007-6421: mod_proxy_balancer: Correctly escape the worker route and the worker redirect string in the HTML output of the balancer manager. Reported by SecurityReason. - bnc #353261 / CVE-2007-6422: Prevent crash in balancer manager if invalid balancer name is passed as parameter. Reported by SecurityReason. - bnc #353262 / CVE-2008-0005: Add explicit charset to the output of various modules to work around possible cross-site scripting flaws affecting web browsers that do not derive the response character set as required by RFC2616. One of these reported by SecurityReason - Add Requires: ed [bnc #363611] apache2 / 10.3 ------------------------------------------------------------------- Tue Mar 25 16:45:01 CET 2008 - skh@suse.de - bnc #353859 / CVE-2007-5000: modules/mappers/mod_imagemap.c (menu_header): Fix cross-site-scripting issue by escaping the URI, and ensure that a charset parameter is sent in the content-type to prevent autodetection by broken browsers. - bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape request method in 413 error reporting. Determined to be not generally exploitable, but a flaw in any case. - bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. - bnc #353261 / CVE-2007-6421: mod_proxy_balancer: Correctly escape the worker route and the worker redirect string in the HTML output of the balancer manager. Reported by SecurityReason. - bnc #353261 / CVE-2007-6422: Prevent crash in balancer manager if invalid balancer name is passed as parameter. Reported by SecurityReason. - bnc #353262 / CVE-2008-0005: Add explicit charset to the output of various modules to work around possible cross-site scripting flaws affecting web browsers that do not derive the response character set as required by RFC2616. One of these reported by SecurityReason - apache2-utils: Add Requires: ed [bnc #363611]
MaintenanceTracker-16882
updates released
CVE-2008-0005: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)