Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[CVE-2005-3352] XSS issue in mod_imap

Related Vulnerabilities: CVE-2005-3352  

Source

Debian Bug report logs - #343466
[CVE-2005-3352] XSS issue in mod_imap

version graph

Package: apache; Maintainer for apache is (unknown);

Reported by: Florian Weimer <fw@deneb.enyo.de>

Date: Thu, 15 Dec 2005 14:18:01 UTC

Severity: important

Tags: patch, security, upstream

Fixed in version apache/1.3.34-2

Done: Adam Conrad <adconrad@0c3.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#343466; Package apache. (full text, mbox, link).

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>
To: submit@bugs.debian.org
Subject: XSS issue in mod_imap
Date: Thu, 15 Dec 2005 15:03:57 +0100
Package: apache
Tags: security upstream
Severity: important

Upstream reports a cross-site scripting issue in Apache:

  <http://issues.apache.org/bugzilla/show_bug.cgi?id=37874>

Impact does not seem to be substantial (rather obscure module,
specific configuration required, only clients running IE are
exploitable), therefore I'm setting the severity to "important".

Changed Bug title. Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#343466; Package apache. (full text, mbox, link).

Acknowledgement sent to micah <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (full text, mbox, link).

Message #12 received at 343466@bugs.debian.org (full text, mbox, reply):

From: micah <micah@riseup.net>
To: 343466@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Patch available
Date: Sun, 1 Jan 2006 16:50:51 -0500
[Message part 1 (text/plain, inline)]
tag 343466 +patch
thanks

Patch available to fix this issue on apache-1.3 here:

http://issues.apache.org/bugzilla/attachment.cgi?id=17199

[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from micah <micah@riseup.net> to control@bugs.debian.org. (full text, mbox, link).

Reply sent to Adam Conrad <adconrad@0c3.net>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. (full text, mbox, link).

Message #19 received at 343466-close@bugs.debian.org (full text, mbox, reply):

From: Adam Conrad <adconrad@0c3.net>
To: 343466-close@bugs.debian.org
Subject: Bug#343466: fixed in apache 1.3.34-2
Date: Fri, 06 Jan 2006 04:47:08 -0800
Source: apache
Source-Version: 1.3.34-2

We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:

apache-common_1.3.34-2_i386.deb
  to pool/main/a/apache/apache-common_1.3.34-2_i386.deb
apache-dbg_1.3.34-2_i386.deb
  to pool/main/a/apache/apache-dbg_1.3.34-2_i386.deb
apache-dev_1.3.34-2_all.deb
  to pool/main/a/apache/apache-dev_1.3.34-2_all.deb
apache-doc_1.3.34-2_all.deb
  to pool/main/a/apache/apache-doc_1.3.34-2_all.deb
apache-perl_1.3.34-2_i386.deb
  to pool/main/a/apache/apache-perl_1.3.34-2_i386.deb
apache-ssl_1.3.34-2_i386.deb
  to pool/main/a/apache/apache-ssl_1.3.34-2_i386.deb
apache_1.3.34-2.diff.gz
  to pool/main/a/apache/apache_1.3.34-2.diff.gz
apache_1.3.34-2.dsc
  to pool/main/a/apache/apache_1.3.34-2.dsc
apache_1.3.34-2_i386.deb
  to pool/main/a/apache/apache_1.3.34-2_i386.deb
libapache-mod-perl_1.29.0.4-2_i386.deb
  to pool/main/a/apache/libapache-mod-perl_1.29.0.4-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 343466@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  6 Jan 2006 18:00:40 +1100
Source: apache
Binary: apache-dev apache-common apache-doc apache apache-dbg apache-perl apache-ssl libapache-mod-perl
Architecture: source i386 all
Version: 1.3.34-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description: 
 apache     - versatile, high-performance HTTP server
 apache-common - support files for all Apache webservers
 apache-dbg - debug versions of the Apache webservers
 apache-dev - development kit for the Apache webserver
 apache-doc - documentation for the Apache webserver
 apache-perl - versatile, high-performance HTTP server with Perl support
 apache-ssl - versatile, high-performance HTTP server with SSL support
 libapache-mod-perl - integration of perl with the Apache web server
Closes: 343466
Changes: 
 apache (1.3.34-2) unstable; urgency=medium
 .
   * Add 907_mod_imap_CVE-2005-3352 to resolve a cross-site scripting
     vulnerability in mod_imap, by escaping untrusted referer headers
     before outputting HTML; see CVE-2005-3352 (closes: #343466)
Files: 
 acff429644bf3c1f46c1ccc13aa8813b 1082 web optional apache_1.3.34-2.dsc
 47d9d2ea111b7af985aace5c1a2ccef0 349134 web optional apache_1.3.34-2.diff.gz
 3aa15b478dfa6334cb44255d439b499a 1195504 doc optional apache-doc_1.3.34-2_all.deb
 455598dbfaec9e4851f29d0a916bb00b 332734 devel extra apache-dev_1.3.34-2_all.deb
 51bd85e9cdbdab00b8e4f0371d39d9ce 391886 web optional apache_1.3.34-2_i386.deb
 04aca30f9b8358e81e344ccb92a53298 495720 web optional apache-ssl_1.3.34-2_i386.deb
 8b3595777b20d619ae1686dba8ab044d 512924 web optional apache-perl_1.3.34-2_i386.deb
 658a37673736b5cf5c6e97eced9bc7e3 9617306 devel extra apache-dbg_1.3.34-2_i386.deb
 0a4c0f128197c0e3bc1ca0bd7467990f 847150 web optional apache-common_1.3.34-2_i386.deb
 b225f16af645e0b963f73bc860eebc49 489590 perl optional libapache-mod-perl_1.29.0.4-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDvlsVvjztR8bOoMkRArLyAJ9sm1Crt7bVUQQgF9ZAgol1GsUbdACfancY
Q255dnJ++0FcnbUEBkMMe70=
=tqWd
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 07:37:21 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:45:05 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started