httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: XSS vulnerability in mod_negotiation - status in 2.2.8?
Date Wed, 06 Feb 2008 10:28:15 GMT
It is clear to me now that this is a storm in a teacup. I note also that
the "vulnerability" never made it to the CVE database so I think we can
decide on "no further action".

Thanks to Joshua and William for their helpful insights.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> -----Original Message-----
> From: Boyle Owen [mailto:Owen.Boyle@swx.com] 
> Sent: Tuesday, February 05, 2008 11:40 AM
> To: dev@httpd.apache.org
> Subject: XSS vulnerability in mod_negotiation - status in 2.2.8?
> 
> Greetings,
> 
> Our security guy noticed this alert about a XSS vulnerability in
> mod_negotiation: http://www.mindedsecurity.com/MSA01150108.html.
> According to the link, it applies to apache <= 2.2.6, so no 
> worries for
> 2.2.8.
> 
> However, when I double-check the changelog for 2.2.8
> (http://www.apache.org/dist/httpd/CHANGES_2.2.8) there is no specific
> mention of a patch in mod_negotiation...
> 
> From a quick inspection of the source code, there was no change to
> mod_negotiation.c between 2.2.6 and 2.2.8 so can I conclude that the
> vulnerability is still present in 2.2.8? (ie, can it have been handled
> at a higher level?)
> 
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>  
>  
> This message is for the named person's use only. It may 
> contain confidential, proprietary or legally privileged 
> information. If you receive this message in error, please 
> notify the sender urgently and then immediately delete the 
> message and any copies of it from your system. Please also 
> immediately destroy any hardcopies of the message. The 
> sender's company reserves the right to monitor all e-mail 
> communications through their networks.
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. If you receive this message in error, please notify the
sender urgently and then immediately delete the message and any copies of it from your system.
Please also immediately destroy any hardcopies of the message. The sender's company reserves
the right to monitor all e-mail communications through their networks.

Mime
View raw message