Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 62525 invoked from network); 6 Jan 2008 20:40:24 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Jan 2008 20:40:24 -0000 Received: (qmail 86984 invoked by uid 500); 6 Jan 2008 20:40:11 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 86911 invoked by uid 500); 6 Jan 2008 20:40:11 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 86900 invoked by uid 99); 6 Jan 2008 20:40:11 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 06 Jan 2008 12:40:11 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Sun, 06 Jan 2008 20:39:48 +0000 Received: (qmail 62212 invoked by uid 2161); 6 Jan 2008 20:39:53 -0000 Received: from [192.168.2.4] (euler.heimnetz.de [192.168.2.4]) by cerberus.heimnetz.de (Postfix on SuSE Linux 7.0 (i386)) with ESMTP id E72021721C for ; Sun, 6 Jan 2008 21:38:27 +0100 (CET) Message-ID: <47813C93.4020507@apache.org> Date: Sun, 06 Jan 2008 21:39:47 +0100 From: Ruediger Pluem User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071128 SeaMonkey/1.1.7 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Pre-release test tarballs of httpd 1.3.40, 2.0.62 and 2.2.7 available References: <9C400F45-8FFA-4F0C-9F34-7FC8002384A6@apache.org> In-Reply-To: <9C400F45-8FFA-4F0C-9F34-7FC8002384A6@apache.org> X-Enigmail-Version: 0.95.5 Content-Type: multipart/mixed; boundary="------------060809010408030500050505" X-Virus-Checked: Checked by ClamAV on apache.org This is a multi-part message in MIME format. --------------060809010408030500050505 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 01/06/2008 07:13 PM, Sander Temme wrote: > > On Jan 4, 2008, at 12:00 PM, Jim Jagielski wrote: > >> The latest versions of all 3 variants of Apache HTTP Server (1.3.40, >> 2.0.62 and 2.2.7) have been tagged. > > > While it seems to me that we're looking at a re-roll with several > patches, please find my test results from the past couple of days. > Perhaps this experience finally motivates me to script this exercise > since it gets extremely tedious and repetitive, and hence error prone. > > Compiled with a bunch of modules (see config.nice and config.status at > the end) as well as php-5.2.5. > > Mac OS X 10.5 (Leopard) on PowerPC: > > [-1] 1.3.40 (CVE-2007-6388 not fixed) There is a patch available from Mark J Cox for 1.3 which I attach. Regards RĂ¼diger --------------060809010408030500050505 Content-Type: text/x-patch; name="CVE-2007-6388-httpd-1.3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="CVE-2007-6388-httpd-1.3.patch" Index: src/CHANGES =================================================================== --- src/CHANGES (revision 606689) +++ src/CHANGES (working copy) @@ -1,5 +1,10 @@ Changes with Apache 1.3.40 + *) SECURITY: CVE-2007-6388 (cve.mitre.org) + mod_status: Ensure refresh parameter is numeric to prevent + a possible XSS attack caused by redirecting to other URLs. + Reported by SecurityReason. [Mark Cox] + *) SECURITY: CVE-2007-5000 (cve.mitre.org) mod_imap: Fix cross-site scripting issue. Reported by JPCERT. [Joe Orton] Index: src/modules/standard/mod_status.c =================================================================== --- src/modules/standard/mod_status.c (revision 604646) +++ src/modules/standard/mod_status.c (working copy) @@ -232,17 +232,15 @@ while (status_options[i].id != STAT_OPT_END) { if ((loc = strstr(r->args, status_options[i].form_data_str)) != NULL) { switch (status_options[i].id) { - case STAT_OPT_REFRESH: - if (*(loc + strlen(status_options[i].form_data_str)) == '=' - && atol(loc + strlen(status_options[i].form_data_str) - + 1) > 0) - ap_table_set(r->headers_out, - status_options[i].hdr_out_str, - loc + strlen(status_options[i].hdr_out_str) + 1); - else - ap_table_set(r->headers_out, - status_options[i].hdr_out_str, "1"); - break; + case STAT_OPT_REFRESH: { + long refreshtime = 0; + if (*(loc + strlen(status_options[i].form_data_str)) == '=') + refreshtime = atol(loc + strlen(status_options[i].form_data_str)+1); + ap_table_set(r->headers_out, + status_options[i].hdr_out_str, + ap_psprintf(r->pool,"%ld",(refreshtime<1)?1:refreshtime)); + break; + } case STAT_OPT_NOTABLE: no_table_report = 1; break; --------------060809010408030500050505--