On ven., 2012-03-09 at 14:14 -0600, Ryan Gumbiner wrote: > Greetings, > > It seems there is a discrepancy in the Fixed Version displayed on: > > http://security-tracker.debian.org/tracker/CVE-2012-0053 > > For the squeeze release (2.2.16-6+squeeze6) as it contradicts the changelog: > > http://release.debian.org/proposed-updates/stable_diffs/apache2_2.2.16-6+squeeze6.debdiff > > > The changelog states this was fixed in squeeze - 2.2.16-6+squeeze5 > > > + * Prevent unintended pattern expansion in some reverse proxy > > + configurations by strictly validating the request-URI. Fixes > > + CVE-2011-3368, CVE-2011-3639, CVE-2011-4317. > > + * CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local > > + privilege escalation. > > + * CVE-2012-0031: Fix client process being able to crash parent process > > + during shutdown. > > + * CVE-2012-0053: Fix an issue in code 400 error responses that could expose > > + "httpOnly" cookies. > > Please advise which version of squeeze this was addressed in. I thank you kindly for your time. Have a great day and weekend! > The fixed version is +squeeze5 but it never reached Squeeze. So *in Squeeze* the first fixed version was +squeeze6 (you never had a chance to see +squeeze5). Regards, -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part