Bug#453783: apache2: CVE-2007-4465

To: Paul Szabo <psz@maths.usyd.edu.au>
Cc: 453783@bugs.debian.org, control@bugs.debian.org
Subject: Bug#453783: apache2: CVE-2007-4465
From: Stefan Fritsch <sf@sfritsch.de>
Date: Sat, 1 Dec 2007 10:37:10 +0100
Message-id: <[🔎] 200712011037.10880.sf@sfritsch.de>
Reply-to: 453783@bugs.debian.org, sf@sfritsch.de, 453783@bugs.debian.org
In-reply-to: <[🔎] 200712010835.lB18ZjmP021499@rome.maths.usyd.edu.au>
References: <[🔎] 200712010835.lB18ZjmP021499@rome.maths.usyd.edu.au>

severity 453783 normal
tags 453783 security
found 453783 2.2.3-4
fixed 453783 2.2.6-1
thanks

Hi,

On Saturday 01 December 2007, Paul Szabo wrote:
> Seems to me that Debian (sarge or etch or even sid) apache packages
> are not yet patched against
>
>   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465
>   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
>
> Seems to me that the obvious workarounds of turning Indexes off or
> having an index.html everywhere, protects just fine; and wonder why
> Apache does not say so.

This is actually a bug in MSIE, see CVE-2006-5152. Sid and lenny have 
the workaround, but there is currently no plan to backport it to 
sarge and etch (as it is of low impact).

Besides switching directory indexes of, setting AddDefaultCharset also 
protects from the issue. AddDefaultCharset is on in the default 
configurations in sarge and etch.

Cheers,
Stefan

Reply to:

Follow-Ups:
- Processed: Re: Bug#453783: apache2: CVE-2007-4465
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#453783: apache2: CVE-2007-4465
  - From: Paul Szabo <psz@maths.usyd.edu.au>

References:
- Bug#453783: apache2: CVE-2007-4465
  - From: Paul Szabo <psz@maths.usyd.edu.au>

Prev by Date: Processed: Re: Bug#453783: apache2: CVE-2007-4465
Next by Date: Bug#453783: apache2: CVE-2007-4465
Previous by thread: Bug#453783: apache2: CVE-2007-4465
Next by thread: Processed: Re: Bug#453783: apache2: CVE-2007-4465
Index(es):
- Date
- Thread