Return-Path: 
 <cvs-return-24741-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: (qmail 87869 invoked from network); 7 Apr 2006 09:52:53 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 7 Apr 2006 09:52:51 -0000
Received: (qmail 2842 invoked by uid 500); 7 Apr 2006 09:52:41 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 2300 invoked by uid 500); 7 Apr 2006 09:52:39 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
List-Post: <mailto:cvs@httpd.apache.org>
List-Id: <cvs.httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 2281 invoked by uid 99); 7 Apr 2006 09:52:39 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 Apr 2006 02:52:39 -0700
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [207.155.252.18] (HELO leviathan.cnchost.com) (207.155.252.18)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 Apr 2006 02:52:38 -0700
Received: from [192.168.0.21] (c-24-15-193-17.hsd1.il.comcast.net
 [24.15.193.17])
	by leviathan.cnchost.com
	id FAA05399; Fri, 7 Apr 2006 05:52:17 -0400 (EDT)
	[ConcentricHost SMTP Relay 1.17]
Errors-To: <wrowe@rowe-clan.net>
Message-ID: <44363650.4090101@rowe-clan.net>
Date: Fri, 07 Apr 2006 04:52:16 -0500
From: "William A. Rowe, Jr." <wrowe@rowe-clan.net>
User-Agent: Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: dev@httpd.apache.org
CC: cvs@httpd.apache.org
Subject: Re: svn commit: r392230 - in /httpd/site/trunk:
 docs/security/vulnerabilities_13.html
 xdocs/security/vulnerabilities-httpd.xml
References: <20060407093938.79445.qmail@minotaur.apache.org>
In-Reply-To: <20060407093938.79445.qmail@minotaur.apache.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

WHY?

1.3 was UNAFFECTED by the original report, because chunking is NOT SUPPORTED.

The only reason I insisted on fixing it is that there were other similar
issues w.r.t. other handlers.  I thought you were the one who insisted
that my patch didn't address -2088?

It'

Bill

mjc@apache.org wrote:
> Author: mjc
> Date: Fri Apr  7 02:39:36 2006
> New Revision: 392230
> 
> URL: http://svn.apache.org/viewcvs?rev=392230&view=rev
> Log:
> From: Mike O'Connor 
> Subject: Apacheweek security minor addition, I think
> 
> I think http://httpd.apache.org/security/vulnerabilities_13.html
> should probably note that CAN-2005-2088 is (at least partially and
> maybe completely) addressed in 1.3.34.
> 
> 
> Modified:
>     httpd/site/trunk/docs/security/vulnerabilities_13.html
>     httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
> 
> Modified: httpd/site/trunk/docs/security/vulnerabilities_13.html
> URL: http://svn.apache.org/viewcvs/httpd/site/trunk/docs/security/vulnerabilities_13.html?rev=392230&r1=392229&r2=392230&view=diff
> ==============================================================================
> --- httpd/site/trunk/docs/security/vulnerabilities_13.html (original)
> +++ httpd/site/trunk/docs/security/vulnerabilities_13.html Fri Apr  7 02:39:36 2006
> @@ -112,6 +112,42 @@
>             <table border="0" cellspacing="0" cellpadding="2" width="100%">
>   <tr><td bgcolor="#525D76">
>    <font color="#ffffff" face="arial,helvetica,sanserif">
> +   <a name="1.3.34"><strong>Fixed in Apache httpd 1.3.34</strong></a>
> +  </font>
> + </td></tr>
> + <tr><td>
> +  <blockquote>
> +<dl>
> +<dd>
> +<b>moderate: </b>
> +<b>
> +<name name="CVE-2005-2088">HTTP Request Spoofing</name>
> +</b>
> +<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088">CVE-2005-2088</a>
> +<p>
> +A flaw occured when using the Apache server as a HTTP proxy. A remote
> +attacker could send a HTTP request with both a "Transfer-Encoding:
> +chunked" header and a Content-Length header, causing Apache to
> +incorrectly handle and forward the body of the request in a way that
> +causes the receiving server to process it as a separate HTTP request.
> +This could allow the bypass of web application firewall protection or
> +lead to cross-site scripting (XSS) attacks.
> +</p>
> +</dd>
> +<dd>
> +  Update Released: 18th October 2005<br />
> +</dd>
> +<dd>
> +      Affects: 
> +    1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0<p />
> +</dd>
> +</dl>
> +  </blockquote>
> + </td></tr>
> +</table>
> +           <table border="0" cellspacing="0" cellpadding="2" width="100%">
> + <tr><td bgcolor="#525D76">
> +  <font color="#ffffff" face="arial,helvetica,sanserif">
>     <a name="1.3.33"><strong>Fixed in Apache httpd 1.3.33</strong></a>
>    </font>
>   </td></tr>
> 
> Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
> URL: http://svn.apache.org/viewcvs/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=392230&r1=392229&r2=392230&view=diff
> ==============================================================================
> --- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml (original)
> +++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml Fri Apr  7 02:39:36 2006
> @@ -253,6 +253,45 @@
>  <affects prod="httpd" version="2.0.35"/>
>  </issue>
>  
> +<issue fixed="1.3.34" public="20050611" released="20051018">
> +<cve name="CVE-2005-2088"/>
> +<severity level="3">moderate</severity>
> +<title>HTTP Request Spoofing</title>
> +<description>
> +<p>
> +A flaw occured when using the Apache server as a HTTP proxy. A remote
> +attacker could send a HTTP request with both a "Transfer-Encoding:
> +chunked" header and a Content-Length header, causing Apache to
> +incorrectly handle and forward the body of the request in a way that
> +causes the receiving server to process it as a separate HTTP request.
> +This could allow the bypass of web application firewall protection or
> +lead to cross-site scripting (XSS) attacks.
> +</p>
> +</description>
> +  <affects prod="httpd" version="1.3.33"/>
> +  <affects prod="httpd" version="1.3.32"/>
> +  <affects prod="httpd" version="1.3.31"/>
> +  <affects prod="httpd" version="1.3.29"/>
> +  <affects prod="httpd" version="1.3.28"/>
> +  <affects prod="httpd" version="1.3.27"/>
> +  <affects prod="httpd" version="1.3.26"/>
> +  <affects prod="httpd" version="1.3.24"/>
> +  <affects prod="httpd" version="1.3.22"/>
> +  <affects prod="httpd" version="1.3.20"/>
> +  <affects prod="httpd" version="1.3.19"/>
> +  <affects prod="httpd" version="1.3.17"/>
> +  <affects prod="httpd" version="1.3.14"/>
> +  <affects prod="httpd" version="1.3.12"/>
> +  <affects prod="httpd" version="1.3.11"/>
> +  <affects prod="httpd" version="1.3.9"/>
> +  <affects prod="httpd" version="1.3.6"/>
> +  <affects prod="httpd" version="1.3.4"/>
> +  <affects prod="httpd" version="1.3.3"/>
> +  <affects prod="httpd" version="1.3.2"/>
> +  <affects prod="httpd" version="1.3.1"/>
> +  <affects prod="httpd" version="1.3.0"/>
> +</issue>
> +
>  <issue fixed="2.0.55" public="20050611" released="20051014">
>  <cve name="CVE-2005-2088"/>
>  <severity level="3">moderate</severity>
> 
> 
> 
>