LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

apache: several vulnerabilities

Package(s):apache CVE #(s):CVE-2007-5000 CVE-2007-6388 CVE-2008-0005
Created:January 15, 2008 Updated:July 29, 2008
Description: A flaw was found in the mod_imap module. On sites where mod_imap was enabled and an imagemap file was publicly available, a cross-site scripting attack was possible. (CVE-2007-5000)

A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388)

A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005)

Alerts:
Slackware SSA:2008-210-02 2008-07-29
rPath rPSA-2008-0035-1 2008-07-16
SuSE SUSE-SA:2008:021 2008-04-04
Fedora FEDORA-2008-1711 2008-02-15
Gentoo 200803-19 2008-03-11
Fedora FEDORA-2008-1695 2008-02-15
Slackware SSA:2008-045-02 2008-02-15
Slackware SSA:2008-045-01 2008-02-15
Ubuntu USN-575-1 2008-02-04
Red Hat RHSA-2008:0009-01 2008-01-21
Mandriva MDVSA-2008:016 2007-01-16
Mandriva MDVSA-2008:015 2008-01-16
Mandriva MDVSA-2008:014 2008-01-16
Red Hat RHSA-2008:0008-01 2008-01-15
Red Hat RHSA-2008:0007-01 2008-01-15
Red Hat RHSA-2008:0006-01 2008-01-15
Red Hat RHSA-2008:0005-01 2008-01-15
Red Hat RHSA-2008:0004-01 2008-01-15
(Log in to post comments)

apache: several vulnerabilities

Posted Feb 21, 2008 22:28 UTC (Thu) by kmccarty (subscriber, #12085) [Link]

FYI, these (except possibly for CVE 2008-0005) were fixed in the latest Debian "Etch" release, 4.0r3, in apache version 1.3.34-4.1+etch1. For some reason it was not deemed necessary to issue a Debian Security Advisory, but people with the usual lines in their sources.list should get the update automatically on their next APT update and upgrade.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds