Bug#453783: apache2: CVE-2007-4465

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#453783: apache2: CVE-2007-4465
From: Paul Szabo <psz@maths.usyd.edu.au>
Date: Sat, 01 Dec 2007 19:35:45 +1100
Message-id: <[🔎] 200712010835.lB18ZjmP021499@rome.maths.usyd.edu.au>
Reply-to: Paul Szabo <psz@maths.usyd.edu.au>, 453783@bugs.debian.org

Package: apache2
Severity: grave
Justification: user security hole

Seems to me that Debian (sarge or etch or even sid) apache packages are
not yet patched against

  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465

Seems to me that the obvious workarounds of turning Indexes off or
having an index.html everywhere, protects just fine; and wonder why
Apache does not say so.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm1.11
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Reply to:

Follow-Ups:
- Bug#453783: apache2: CVE-2007-4465
  - From: Stefan Fritsch <sf@sfritsch.de>

Next by Date: Processed: Re: Bug#453783: apache2: CVE-2007-4465
Next by thread: Bug#453783: apache2: CVE-2007-4465
Index(es):
- Date
- Thread