Bug#453783: apache2: CVE-2007-4465
severity 453783 normal
tags 453783 security
found 453783 2.2.3-4
fixed 453783 2.2.6-1
thanks
Hi,
On Saturday 01 December 2007, Paul Szabo wrote:
> Seems to me that Debian (sarge or etch or even sid) apache packages
> are not yet patched against
>
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
>
> Seems to me that the obvious workarounds of turning Indexes off or
> having an index.html everywhere, protects just fine; and wonder why
> Apache does not say so.
This is actually a bug in MSIE, see CVE-2006-5152. Sid and lenny have
the workaround, but there is currently no plan to backport it to
sarge and etch (as it is of low impact).
Besides switching directory indexes of, setting AddDefaultCharset also
protects from the issue. AddDefaultCharset is on in the default
configurations in sarge and etch.
Cheers,
Stefan
Reply to: