Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 25157 invoked from network); 19 Jan 2008 14:32:57 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 19 Jan 2008 14:32:57 -0000 Received: (qmail 84167 invoked by uid 500); 19 Jan 2008 14:32:47 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 84094 invoked by uid 500); 19 Jan 2008 14:32:47 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 84083 invoked by uid 99); 19 Jan 2008 14:32:46 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 19 Jan 2008 06:32:46 -0800 X-ASF-Spam-Status: No, hits=-100.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 19 Jan 2008 14:32:33 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 7F7B11A9832; Sat, 19 Jan 2008 06:32:24 -0800 (PST) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r613397 - in /httpd/site/trunk/dist: Announcement1.3.html Announcement1.3.txt Announcement2.0.html Announcement2.0.txt Announcement2.2.html Announcement2.2.txt Date: Sat, 19 Jan 2008 14:32:19 -0000 To: cvs@httpd.apache.org From: jim@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20080119143224.7F7B11A9832@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: jim Date: Sat Jan 19 06:32:18 2008 New Revision: 613397 URL: http://svn.apache.org/viewvc?rev=613397&view=rev Log: Fold in descripts of vulns Modified: httpd/site/trunk/dist/Announcement1.3.html httpd/site/trunk/dist/Announcement1.3.txt httpd/site/trunk/dist/Announcement2.0.html httpd/site/trunk/dist/Announcement2.0.txt httpd/site/trunk/dist/Announcement2.2.html httpd/site/trunk/dist/Announcement2.2.txt Modified: httpd/site/trunk/dist/Announcement1.3.html URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement1.3.html?rev=613397&r1=613396&r2=613397&view=diff ============================================================================== --- httpd/site/trunk/dist/Announcement1.3.html (original) +++ httpd/site/trunk/dist/Announcement1.3.html Sat Jan 19 06:32:18 2008 @@ -30,12 +30,21 @@ mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. +
+A flaw was found in the mod_status module. On sites where mod_status is +enabled and the status pages were publicly accessible, a cross-site +scripting attack is possible. +Note that the server-status page is not enabled by default and it is best +practice to not make this publicly available.
  • CVE-2007-5000: mod_imap: Fix cross-site scripting issue. Reported by JPCERT. -
    • +
    +A flaw was found in the mod_imap module. On sites where +mod_imap is enabled and an imagemap file is publicly available, a +cross-site scripting attack is possible.
  • CVE-2007-3847: Modified: httpd/site/trunk/dist/Announcement1.3.txt URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement1.3.txt?rev=613397&r1=613396&r2=613397&view=diff ============================================================================== --- httpd/site/trunk/dist/Announcement1.3.txt (original) +++ httpd/site/trunk/dist/Announcement1.3.txt Sat Jan 19 06:32:18 2008 @@ -13,8 +13,18 @@ a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. + A flaw was found in the mod_status module. On sites where mod_status + is enabled and the status pages were publicly accessible, a + cross-site scripting attack is possible. Note that the server-status + page is not enabled by default and it is best practice to not make + this publicly available. + * CVE-2007-5000 (cve.mitre.org) mod_imap: Fix cross-site scripting issue. Reported by JPCERT. + + A flaw was found in the mod_imap module. On sites where + mod_imap is enabled and an imagemap file is publicly available, a + cross-site scripting attack is possible. * CVE-2007-3847 (cve.mitre.org) mod_proxy: Prevent reading past the end of a buffer when parsing Modified: httpd/site/trunk/dist/Announcement2.0.html URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.0.html?rev=613397&r1=613396&r2=613397&view=diff ============================================================================== --- httpd/site/trunk/dist/Announcement2.0.html (original) +++ httpd/site/trunk/dist/Announcement2.0.html Sat Jan 19 06:32:18 2008 @@ -38,11 +38,22 @@ mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. +
    + A flaw was found in the mod_status module. On sites where mod_status + is enabled and the status pages were publicly accessible, a + cross-site scripting attack is possible. Note that the server-status + page is not enabled by default and it is best practice to not make + this publicly available.
  • CVE-2007-5000: mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. +
    +A flaw was found in the mod_imap module. On sites where +mod_imap is enabled and an imagemap file is publicly available, a +cross-site scripting attack is possible. +
    • Modified: httpd/site/trunk/dist/Announcement2.0.txt URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.0.txt?rev=613397&r1=613396&r2=613397&view=diff ============================================================================== --- httpd/site/trunk/dist/Announcement2.0.txt (original) +++ httpd/site/trunk/dist/Announcement2.0.txt Sat Jan 19 06:32:18 2008 @@ -16,8 +16,18 @@ a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. + A flaw was found in the mod_status module. On sites where mod_status + is enabled and the status pages were publicly accessible, a + cross-site scripting attack is possible. Note that the server-status + page is not enabled by default and it is best practice to not make + this publicly available. + * CVE-2007-5000 (cve.mitre.org) mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. + + A flaw was found in the mod_imap module. On sites where + mod_imap is enabled and an imagemap file is publicly available, a + cross-site scripting attack is possible. Please see the CHANGES_2.0.63 file in this directory for a full list of changes for this version. Modified: httpd/site/trunk/dist/Announcement2.2.html URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.2.html?rev=613397&r1=613396&r2=613397&view=diff ============================================================================== --- httpd/site/trunk/dist/Announcement2.2.html (original) +++ httpd/site/trunk/dist/Announcement2.2.html Sat Jan 19 06:32:18 2008 @@ -30,12 +30,22 @@ mod_proxy_balancer: Correctly escape the worker route and the worker redirect string in the HTML output of the balancer manager. Reported by SecurityReason. +
    + A flaw was found in the mod_proxy_balancer module. On sites where + mod_proxy_balancer is enabled, a cross-site scripting attack against + an authorized user is possible.
  • CVE-2007-6422: Prevent crash in balancer manager if invalid balancer name is passed as parameter. Reported by SecurityReason. +
    + A flaw was found in the mod_proxy_balancer module. On sites where + mod_proxy_balancer is enabled, an authorized user could send a + carefully crafted request that would cause the Apache child process + handling that request to crash. This could lead to a denial of + service if using a threaded Multi-Processing Module.
  • + A flaw was found in the mod_status module. On sites where mod_status + is enabled and the status pages were publicly accessible, a + cross-site scripting attack is possible. Note that the server-status + page is not enabled by default and it is best practice to not make + this publicly available.
    • +
  • CVE-2007-5000 : mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. +
    + A flaw was found in the mod_imap module. On sites where + mod_imap is enabled and an imagemap file is publicly available, a + cross-site scripting attack is possible.
    • Modified: httpd/site/trunk/dist/Announcement2.2.txt URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.2.txt?rev=613397&r1=613396&r2=613397&view=diff ============================================================================== --- httpd/site/trunk/dist/Announcement2.2.txt (original) +++ httpd/site/trunk/dist/Announcement2.2.txt Sat Jan 19 06:32:18 2008 @@ -10,17 +10,37 @@ redirect string in the HTML output of the balancer manager. Reported by SecurityReason. + A flaw was found in the mod_proxy_balancer module. On sites where + mod_proxy_balancer is enabled, a cross-site scripting attack against + an authorized user is possible. + * CVE-2007-6422 (cve.mitre.org) Prevent crash in balancer manager if invalid balancer name is passed as parameter. Reported by SecurityReason. + A flaw was found in the mod_proxy_balancer module. On sites where + mod_proxy_balancer is enabled, an authorized user could send a + carefully crafted request that would cause the Apache child process + handling that request to crash. This could lead to a denial of + service if using a threaded Multi-Processing Module. + * CVE-2007-6388 (cve.mitre.org) mod_status: Ensure refresh parameter is numeric to prevent a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. + A flaw was found in the mod_status module. On sites where mod_status + is enabled and the status pages were publicly accessible, a + cross-site scripting attack is possible. Note that the server-status + page is not enabled by default and it is best practice to not make + this publicly available. + * CVE-2007-5000 (cve.mitre.org) mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. + + A flaw was found in the mod_imap module. On sites where + mod_imap is enabled and an imagemap file is publicly available, a + cross-site scripting attack is possible. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.