httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m..@apache.org
Subject svn commit: r427041 - in /httpd/site/trunk: docs/security/vulnerabilities_13.html xdocs/security/vulnerabilities-httpd.xml
Date Mon, 31 Jul 2006 08:19:35 GMT
Author: mjc
Date: Mon Jul 31 01:19:35 2006
New Revision: 427041

URL: http://svn.apache.org/viewvc?rev=427041&view=rev
Log:
Note CVE-2006-3918 in the erratadb

Modified:
    httpd/site/trunk/docs/security/vulnerabilities_13.html
    httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/docs/security/vulnerabilities_13.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_13.html?rev=427041&r1=427040&r2=427041&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_13.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_13.html Mon Jul 31 01:19:35 2006
@@ -125,6 +125,29 @@
 <dd>
 <b>moderate: </b>
 <b>
+<name name="CVE-2006-3918">Expect header Cross-Site Scripting</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918">CVE-2006-3918</a>
+<p>
+A flaw in the handling of invalid Expect headers.  If an attacker can
+influence the Expect header that a victim sends to a target site they
+could perform a cross-site scripting attack.  It is known that 
+some versions of Flash can set an arbitrary Expect header which can 
+trigger this flaw.  Not marked as a security issue for 2.0 or
+2.2 as the cross-site scripting is only returned to the victim after
+the server times out a connection.
+</p>
+</dd>
+<dd>
+  Update Released: 1st May 2006<br />
+</dd>
+<dd>
+      Affects: 
+    1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20,
1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3<p />
+</dd>
+<dd>
+<b>moderate: </b>
+<b>
 <name name="CVE-2005-3352">mod_imap Referer Cross-Site Scripting</name>
 </b>
 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352">CVE-2005-3352</a>

Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?rev=427041&r1=427040&r2=427041&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml Mon Jul 31 01:19:35 2006
@@ -168,6 +168,43 @@
 <affects prod="httpd" version="2.0.35"/>
 </issue>
 
+<issue fixed="1.3.35" public="20060508" reported="" released="20060501">
+<cve name="CVE-2006-3918"/>
+<severity level="3">moderate</severity>
+<title>Expect header Cross-Site Scripting</title>
+<description>
+<p>
+A flaw in the handling of invalid Expect headers.  If an attacker can
+influence the Expect header that a victim sends to a target site they
+could perform a cross-site scripting attack.  It is known that 
+some versions of Flash can set an arbitrary Expect header which can 
+trigger this flaw.  Not marked as a security issue for 2.0 or
+2.2 as the cross-site scripting is only returned to the victim after
+the server times out a connection.
+</p>
+</description>
+  <affects prod="httpd" version="1.3.34"/>
+  <affects prod="httpd" version="1.3.33"/>
+  <affects prod="httpd" version="1.3.32"/>
+  <affects prod="httpd" version="1.3.31"/>
+  <affects prod="httpd" version="1.3.29"/>
+  <affects prod="httpd" version="1.3.28"/>
+  <affects prod="httpd" version="1.3.27"/>
+  <affects prod="httpd" version="1.3.26"/>
+  <affects prod="httpd" version="1.3.24"/>
+  <affects prod="httpd" version="1.3.22"/>
+  <affects prod="httpd" version="1.3.20"/>
+  <affects prod="httpd" version="1.3.19"/>
+  <affects prod="httpd" version="1.3.17"/>
+  <affects prod="httpd" version="1.3.14"/>
+  <affects prod="httpd" version="1.3.12"/>
+  <affects prod="httpd" version="1.3.11"/>
+  <affects prod="httpd" version="1.3.9"/>
+  <affects prod="httpd" version="1.3.6"/>
+  <affects prod="httpd" version="1.3.4"/>
+  <affects prod="httpd" version="1.3.3"/>
+</issue>
+
 <issue fixed="1.3.35" public="20051212" reported="20051101" released="20060501">
 <cve name="CVE-2005-3352"/>
 <severity level="3">moderate</severity>



Mime
View raw message