httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From scte...@apache.org
Subject svn commit: r609410 - /httpd/httpd/branches/1.3.x/STATUS
Date Sun, 06 Jan 2008 21:33:02 GMT
Author: sctemme
Date: Sun Jan  6 13:33:01 2008
New Revision: 609410

URL: http://svn.apache.org/viewvc?rev=609410&view=rev
Log:
Propose backport of refresh parameter input sanitizing patch.

Modified:
    httpd/httpd/branches/1.3.x/STATUS

Modified: httpd/httpd/branches/1.3.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/STATUS?rev=609410&r1=609409&r2=609410&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/STATUS (original)
+++ httpd/httpd/branches/1.3.x/STATUS Sun Jan  6 13:33:01 2008
@@ -56,6 +56,16 @@
 
 RELEASE SHOWSTOPPERS:
 
+   *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+      mod_status: Ensure refresh parameter is numeric to prevent
+      a possible XSS attack caused by redirecting to other URLs.
+      Reported by SecurityReason.  [Mark Cox]
+      Trunk version of patch: 
+        http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=590641&r2=607873
+      1.3 version of patch attached to: 
+        http://mail-archives.apache.org/mod_mbox/httpd-dev/200801.mbox/%3c47813C93.4020507@apache.org%3e
+      +1: sctemme (with fuankg's change of default refresh time to 10 seconds in r607873)
+
 PROPOSED PATCHES FOR THIS RELEASE:
 
    *) mod_rewrite on Win32: change the mutex mechanism for RewriteLog



Mime
View raw message