Bug#381381: marked as done (CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities)
Your message dated Tue, 15 Aug 2006 09:32:07 -0700
with message-id <E1GD1pn-0006wN-NV@spohr.debian.org>
and subject line Bug#381381: fixed in apache 1.3.34-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: apache
Version: 1.3.34-2
Severity: grave
Tags: security
Justification: user security hole
CVE-2006-3918 reads:
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1
before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0
before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect
header from an HTTP request when it is reflected back in an error
message, which might allow cross-site scripting (XSS) style attacks
using web client components that can send arbitrary headers in
requests, as demonstrated using a Flash SWF file.
--- End Message ---
--- Begin Message ---
Source: apache
Source-Version: 1.3.34-3
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-common_1.3.34-3_i386.deb
to pool/main/a/apache/apache-common_1.3.34-3_i386.deb
apache-dbg_1.3.34-3_i386.deb
to pool/main/a/apache/apache-dbg_1.3.34-3_i386.deb
apache-dev_1.3.34-3_all.deb
to pool/main/a/apache/apache-dev_1.3.34-3_all.deb
apache-doc_1.3.34-3_all.deb
to pool/main/a/apache/apache-doc_1.3.34-3_all.deb
apache-perl_1.3.34-3_i386.deb
to pool/main/a/apache/apache-perl_1.3.34-3_i386.deb
apache-ssl_1.3.34-3_i386.deb
to pool/main/a/apache/apache-ssl_1.3.34-3_i386.deb
apache_1.3.34-3.diff.gz
to pool/main/a/apache/apache_1.3.34-3.diff.gz
apache_1.3.34-3.dsc
to pool/main/a/apache/apache_1.3.34-3.dsc
apache_1.3.34-3_i386.deb
to pool/main/a/apache/apache_1.3.34-3_i386.deb
libapache-mod-perl_1.29.0.4-3_i386.deb
to pool/main/a/apache/libapache-mod-perl_1.29.0.4-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 381381@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thom May <thom@debian.org> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 15 Aug 2006 15:56:24 +0200
Source: apache
Binary: apache-dev apache-common apache-doc apache apache-dbg apache-perl apache-ssl libapache-mod-perl
Architecture: source i386 all
Version: 1.3.34-3
Distribution: unstable
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Thom May <thom@debian.org>
Description:
apache - versatile, high-performance HTTP server
apache-common - support files for all Apache webservers
apache-dbg - debug versions of the Apache webservers
apache-dev - development kit for the Apache webserver
apache-doc - documentation for the Apache webserver
apache-perl - versatile, high-performance HTTP server with Perl support
apache-ssl - versatile, high-performance HTTP server with SSL support
libapache-mod-perl - integration of perl with the Apache web server
Closes: 292333 380231 381381
Changes:
apache (1.3.34-3) unstable; urgency=high
.
* Add 908_mod_rewrite_CVE-2006-3747 to resolve an off-by-one
security problem in the ldap scheme handling. For some
RewriteRules this could lead to a pointer being written out
of bounds. (closes: #380231)
* Add 909_core_CVE-2006-3918 to resolve a potential cross-site
scripting vulnerability in the core of Apache, by HTML escaping
the contents of the Expect header. (closes: #381381)
* Added patch from Robin Elfrink to allow Apache to build on
Debian/kfreebsd (closes: #292333)
* Build-depend (and make apache-dev depend on) libdb4.4 instead of 4.3
Files:
99b2f59d7f331f7aafc8737742f528e0 1146 web optional apache_1.3.34-3.dsc
635e0e5a84ae82dc9ce0d3adf62dcefb 350363 web optional apache_1.3.34-3.diff.gz
7a58d24b2dacce8cd3b4c7acf0a070a0 1195670 doc optional apache-doc_1.3.34-3_all.deb
b89ef165ff00529a52b02c0e26e3be1c 332966 devel extra apache-dev_1.3.34-3_all.deb
34560b71b28e0f0d84bd8b6ecde10f95 390550 web optional apache_1.3.34-3_i386.deb
f4d8ffd2eb8e1d78d35d8755f156ec01 494694 web optional apache-ssl_1.3.34-3_i386.deb
91f72648c3fb5f0895c71619791f6bdd 508682 web optional apache-perl_1.3.34-3_i386.deb
3819ab4811515d9eb2ade4ec8dbac2a0 8777122 devel extra apache-dbg_1.3.34-3_i386.deb
e07dc34d3da3424d8f9dd704de508f31 846966 web optional apache-common_1.3.34-3_i386.deb
c8af9302f6bb46b63229446c4341e4c7 485554 perl optional libapache-mod-perl_1.29.0.4-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
iD8DBQFE4fVUl2uISwgTVp8RAkMdAJ0b85QdNlhNdK6mJ01hEzeQWpegYwCfYCUq
EpL91VT0ZZSIWdN5IpwetrA=
=sHzu
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: