httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r613397 - in /httpd/site/trunk/dist: Announcement1.3.html Announcement1.3.txt Announcement2.0.html Announcement2.0.txt Announcement2.2.html Announcement2.2.txt
Date Sat, 19 Jan 2008 14:32:19 GMT
Author: jim
Date: Sat Jan 19 06:32:18 2008
New Revision: 613397

URL: http://svn.apache.org/viewvc?rev=613397&view=rev
Log:
Fold in descripts of vulns

Modified:
    httpd/site/trunk/dist/Announcement1.3.html
    httpd/site/trunk/dist/Announcement1.3.txt
    httpd/site/trunk/dist/Announcement2.0.html
    httpd/site/trunk/dist/Announcement2.0.txt
    httpd/site/trunk/dist/Announcement2.2.html
    httpd/site/trunk/dist/Announcement2.2.txt

Modified: httpd/site/trunk/dist/Announcement1.3.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement1.3.html?rev=613397&r1=613396&r2=613397&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement1.3.html (original)
+++ httpd/site/trunk/dist/Announcement1.3.html Sat Jan 19 06:32:18 2008
@@ -30,12 +30,21 @@
 mod_status: Ensure refresh parameter is numeric to prevent
 a possible XSS attack caused by redirecting to other URLs.
 Reported by SecurityReason.
+<br />
+A flaw was found in the mod_status module. On sites where mod_status is
+enabled and the status pages were publicly accessible, a cross-site
+scripting attack is possible.
+Note that the server-status page is not enabled by default and it is best
+practice to not make this publicly available.
 </li>
 
 <li><a
  href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000">CVE-2007-5000:</a>
 mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.
-</li>
+<br />
+A flaw was found in the mod_imap module. On sites where
+mod_imap is enabled and an imagemap file is publicly available, a
+cross-site scripting attack is possible.</li>
 
 <li><a
  href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847">CVE-2007-3847:</a>

Modified: httpd/site/trunk/dist/Announcement1.3.txt
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement1.3.txt?rev=613397&r1=613396&r2=613397&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement1.3.txt (original)
+++ httpd/site/trunk/dist/Announcement1.3.txt Sat Jan 19 06:32:18 2008
@@ -13,8 +13,18 @@
        a possible XSS attack caused by redirecting to other URLs.
        Reported by SecurityReason.
 
+       A flaw was found in the mod_status module. On sites where mod_status
+       is enabled and the status pages were publicly accessible, a
+       cross-site scripting attack is possible. Note that the server-status
+       page is not enabled by default and it is best practice to not make
+       this publicly available.
+
      * CVE-2007-5000 (cve.mitre.org)
        mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.
+
+       A flaw was found in the mod_imap module. On sites where
+       mod_imap is enabled and an imagemap file is publicly available, a
+       cross-site scripting attack is possible.
 
      * CVE-2007-3847 (cve.mitre.org)
        mod_proxy: Prevent reading past the end of a buffer when parsing

Modified: httpd/site/trunk/dist/Announcement2.0.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.0.html?rev=613397&r1=613396&r2=613397&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement2.0.html (original)
+++ httpd/site/trunk/dist/Announcement2.0.html Sat Jan 19 06:32:18 2008
@@ -38,11 +38,22 @@
 mod_status: Ensure refresh parameter is numeric to prevent
        a possible XSS attack caused by redirecting to other URLs. 
        Reported by SecurityReason.
+<br />
+       A flaw was found in the mod_status module. On sites where mod_status
+       is enabled and the status pages were publicly accessible, a
+       cross-site scripting attack is possible. Note that the server-status
+       page is not enabled by default and it is best practice to not make
+       this publicly available.
 </li>
 
 <li><a
  href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000">CVE-2007-5000:</a>
 mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
+<br />
+A flaw was found in the mod_imap module. On sites where
+mod_imap is enabled and an imagemap file is publicly available, a
+cross-site scripting attack is possible.
+
 </li>
 
 </ul>

Modified: httpd/site/trunk/dist/Announcement2.0.txt
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.0.txt?rev=613397&r1=613396&r2=613397&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement2.0.txt (original)
+++ httpd/site/trunk/dist/Announcement2.0.txt Sat Jan 19 06:32:18 2008
@@ -16,8 +16,18 @@
        a possible XSS attack caused by redirecting to other URLs. 
        Reported by SecurityReason.
 
+       A flaw was found in the mod_status module. On sites where mod_status
+       is enabled and the status pages were publicly accessible, a
+       cross-site scripting attack is possible. Note that the server-status
+       page is not enabled by default and it is best practice to not make
+       this publicly available.
+
      * CVE-2007-5000 (cve.mitre.org)
        mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
+
+       A flaw was found in the mod_imap module. On sites where
+       mod_imap is enabled and an imagemap file is publicly available, a
+       cross-site scripting attack is possible.
 
    Please see the CHANGES_2.0.63 file in this directory for a full list
    of changes for this version.

Modified: httpd/site/trunk/dist/Announcement2.2.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.2.html?rev=613397&r1=613396&r2=613397&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement2.2.html (original)
+++ httpd/site/trunk/dist/Announcement2.2.html Sat Jan 19 06:32:18 2008
@@ -30,12 +30,22 @@
  mod_proxy_balancer: Correctly escape the worker route and the worker
  redirect string in the HTML output of the balancer manager.
  Reported by SecurityReason.
+<br />
+       A flaw was found in the mod_proxy_balancer module. On sites where
+       mod_proxy_balancer is enabled, a cross-site scripting attack against
+       an authorized user is possible. 
 </li>
 
 <li><a
  href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6422">CVE-2007-6422:</a>
  Prevent crash in balancer manager if invalid balancer name is passed
  as parameter. Reported by SecurityReason. 
+<br />
+       A flaw was found in the mod_proxy_balancer module. On sites where
+       mod_proxy_balancer is enabled, an authorized user could send a
+       carefully crafted request that would cause the Apache child process
+       handling that request to crash. This could lead to a denial of
+       service if using a threaded Multi-Processing Module.
 </li>
 
 <li><a
@@ -43,10 +53,21 @@
  mod_status: Ensure refresh parameter is numeric to prevent
  a possible XSS attack caused by redirecting to other URLs.
  Reported by SecurityReason. 
+<br />
+       A flaw was found in the mod_status module. On sites where mod_status
+       is enabled and the status pages were publicly accessible, a
+       cross-site scripting attack is possible. Note that the server-status
+       page is not enabled by default and it is best practice to not make
+       this publicly available.
 </li>
+
 <li><a
  href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000 ">CVE-2007-5000 :</a>
  mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
+<br />
+       A flaw was found in the mod_imap module. On sites where
+       mod_imap is enabled and an imagemap file is publicly available, a
+       cross-site scripting attack is possible.
 </li>
 
 </ul>

Modified: httpd/site/trunk/dist/Announcement2.2.txt
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.2.txt?rev=613397&r1=613396&r2=613397&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement2.2.txt (original)
+++ httpd/site/trunk/dist/Announcement2.2.txt Sat Jan 19 06:32:18 2008
@@ -10,17 +10,37 @@
        redirect string in the HTML output of the balancer manager.
        Reported by SecurityReason.
 
+       A flaw was found in the mod_proxy_balancer module. On sites where
+       mod_proxy_balancer is enabled, a cross-site scripting attack against
+       an authorized user is possible. 
+
      * CVE-2007-6422 (cve.mitre.org)
        Prevent crash in balancer manager if invalid balancer name is passed
        as parameter. Reported by SecurityReason.
 
+       A flaw was found in the mod_proxy_balancer module. On sites where
+       mod_proxy_balancer is enabled, an authorized user could send a
+       carefully crafted request that would cause the Apache child process
+       handling that request to crash. This could lead to a denial of
+       service if using a threaded Multi-Processing Module.
+
      * CVE-2007-6388 (cve.mitre.org)
        mod_status: Ensure refresh parameter is numeric to prevent
        a possible XSS attack caused by redirecting to other URLs.
        Reported by SecurityReason.
 
+       A flaw was found in the mod_status module. On sites where mod_status
+       is enabled and the status pages were publicly accessible, a
+       cross-site scripting attack is possible. Note that the server-status
+       page is not enabled by default and it is best practice to not make
+       this publicly available.
+
      * CVE-2007-5000 (cve.mitre.org)
        mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
+
+       A flaw was found in the mod_imap module. On sites where
+       mod_imap is enabled and an imagemap file is publicly available, a
+       cross-site scripting attack is possible.
 
    We consider this release to be the best version of Apache available, and
    encourage users of all prior versions to upgrade.



Mime
View raw message