httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject XSS vulnerability in mod_negotiation - status in 2.2.8?
Date Tue, 05 Feb 2008 10:40:28 GMT
Greetings,

Our security guy noticed this alert about a XSS vulnerability in
mod_negotiation: http://www.mindedsecurity.com/MSA01150108.html.
According to the link, it applies to apache <= 2.2.6, so no worries for
2.2.8.

However, when I double-check the changelog for 2.2.8
(http://www.apache.org/dist/httpd/CHANGES_2.2.8) there is no specific
mention of a patch in mod_negotiation...

>From a quick inspection of the source code, there was no change to
mod_negotiation.c between 2.2.6 and 2.2.8 so can I conclude that the
vulnerability is still present in 2.2.8? (ie, can it have been handled
at a higher level?)

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. If you receive this message in error, please notify the
sender urgently and then immediately delete the message and any copies of it from your system.
Please also immediately destroy any hardcopies of the message. The sender's company reserves
the right to monitor all e-mail communications through their networks.

Mime
View raw message