https://bugzilla.novell.com/show_bug.cgi?id=355888
User skh@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=355888#c2
Sonja Krause-Harder changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|skh@novell.com |security-team@suse.de
Status|ASSIGNED |NEW
--- Comment #2 from Sonja Krause-Harder 2008-03-25 11:03:13 MST ---
Submitted packages (once all mbuilds have finished):
apache / sles9:
-------------------------------------------------------------------
Tue Mar 25 15:38:36 CET 2008 - skh@suse.de
- Security fix: CVE-2006-3918: src/main/http_protocol.c: Escape
Expect header error message correctly to fix possible
cross-site scripting flaw [related to bnc #346451]
- Security fix: CVE-2007-5000: src/modules/standard/mod_imap.c
(menu_header): Fix cross-site scripting issue by escaping the
URI, and ensure that a charset parameter is sent in the
content-type to prevent autodetection by broken browsers.
Reported by: JPCERT[bnc #353859]
- Security fix: CVE-2007-6388: mod_status: Ensure refresh parameter
is numeric to prevent a possible XSS attack caused by redirecting
to other URLs. Reported by SecurityReason. [bnc #352235]
- Security fix: CVE-2008-0005: src/modules/proxy/proxy_ftp.c:
Add explicit charset to the dirlisting output to work around
possible cross-site scripting flaws affecting web browsers
that do not derive the response character set as required
by RFC2616. Reported by SecurityReason [Joe Orton] [bnc #353262]
- apache2-utils: Add Requires: ed [bnc #363611]
apache2 / sles9:
-------------------------------------------------------------------
Tue Mar 25 16:05:57 CET 2008 - skh@suse.de
- bnc #353859 / CVE-2007-5000: modules/mappers/mod_imap.c
(menu_header): Fix cross-site-scripting issue by escaping the URI,
and ensure that a charset parameter is sent in the content-type to
prevent autodetection by broken browsers. Reported by: JPCERT
- bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape
request method in 413 error reporting. Determined to be not
generally exploitable, but a flaw in any case.
- bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter
is numeric to prevent a possible XSS attack caused by redirecting
to other URLs. Reported by SecurityReason.
- bnc #353262 / CVE-2008-0005: Add explicit charset to the output
of various modules to work around possible cross-site scripting
flaws affecting web browsers that do not derive the response
character set as required by RFC2616. One of these reported by
SecurityReason.
apache2 / sles10/10.1, 10.2:
-------------------------------------------------------------------
Tue Mar 25 16:30:34 CET 2008 - skh@suse.de
- bnc #353859 / CVE-2007-5000: modules/mappers/mod_imagemap.c
(menu_header): Fix cross-site-scripting issue by escaping the URI,
and ensure that a charset parameter is sent in the content-type to
prevent autodetection by broken browsers.
- bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape
request method in 413 error reporting. Determined to be not
generally exploitable, but a flaw in any case.
- bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter
is numeric to prevent a possible XSS attack caused by redirecting
to other URLs. Reported by SecurityReason.
- bnc #353261 / CVE-2007-6421: mod_proxy_balancer: Correctly escape
the worker route and the worker redirect string in the HTML output
of the balancer manager. Reported by SecurityReason.
- bnc #353261 / CVE-2007-6422: Prevent crash in balancer manager if
invalid balancer name is passed as parameter. Reported by
SecurityReason.
- bnc #353262 / CVE-2008-0005: Add explicit charset to the output of
various modules to work around possible cross-site scripting flaws
affecting web browsers that do not derive the response character
set as required by RFC2616. One of these reported by
SecurityReason
- Add Requires: ed [bnc #363611]
apache2 / 10.3
-------------------------------------------------------------------
Tue Mar 25 16:45:01 CET 2008 - skh@suse.de
- bnc #353859 / CVE-2007-5000: modules/mappers/mod_imagemap.c
(menu_header): Fix cross-site-scripting issue by escaping the URI,
and ensure that a charset parameter is sent in the content-type to
prevent autodetection by broken browsers.
- bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape
request method in 413 error reporting. Determined to be not
generally exploitable, but a flaw in any case.
- bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter
is numeric to prevent a possible XSS attack caused by redirecting
to other URLs. Reported by SecurityReason.
- bnc #353261 / CVE-2007-6421: mod_proxy_balancer: Correctly escape
the worker route and the worker redirect string in the HTML output
of the balancer manager. Reported by SecurityReason.
- bnc #353261 / CVE-2007-6422: Prevent crash in balancer manager if
invalid balancer name is passed as parameter. Reported by
SecurityReason.
- bnc #353262 / CVE-2008-0005: Add explicit charset to the output of
various modules to work around possible cross-site scripting flaws
affecting web browsers that do not derive the response character
set as required by RFC2616. One of these reported by
SecurityReason
- apache2-utils: Add Requires: ed [bnc #363611]
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.