CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities

Debian Bug report logs - #381376
CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities

Date: Fri, 04 Aug 2006 00:21:15 +0200

Package: apache2
Version: 2.0.55-4
Severity: grave
Tags: security
Justification: user security hole

CVE-2006-3918 reads:
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1
before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0
before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect
header from an HTTP request when it is reflected back in an error
message, which might allow cross-site scripting (XSS) style attacks
using web client components that can send arbitrary headers in
requests, as demonstrated using a Flash SWF file.

Message #12 received at 381376@bugs.debian.org (full text, mbox, reply):

From: Loïc Minier <lool@dooz.org>

To: team@security.debian.org

Cc: 381376@bugs.debian.org

Subject: Status of CVE-2006-3918 #381376

Date: Sat, 9 Sep 2006 12:35:08 +0200

        Hi,

 I think only apache was uploaded for CVE-2006-3918, and not apache2.
 Do you intend to issue a DSA for apache2 as well?  Or isn't it affected
 by the vulnerability?

 This is fixed in apache2 >= 2.0.55-4.1 in unstable.

   Thanks,
-- 
Loïc Minier <lool@dooz.org>

Message #17 received at 381376@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: debian-apache@lists.debian.org, Loïc Minier <lool@dooz.org>, 381376@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#381376: Status of CVE-2006-3918 #381376

Date: Sat, 9 Sep 2006 13:22:25 +0200

On Saturday 09 September 2006 12:35, Loïc Minier wrote:
>  I think only apache was uploaded for CVE-2006-3918, and not
> apache2. Do you intend to issue a DSA for apache2 as well?  Or
> isn't it affected by the vulnerability?
>
>  This is fixed in apache2 >= 2.0.55-4.1 in unstable.

The issue is less severe for apache2 because it is much more difficult 
to exploit: apache2 will first wait for the request timeout (usually 
5 minutes) before sending the problematic error message.

Cheers,
Stefan

Message #22 received at 381376@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: Stefan Fritsch <sf@sfritsch.de>

Cc: debian-apache@lists.debian.org, Lo?c Minier <lool@dooz.org>, 381376@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#381376: Status of CVE-2006-3918 #381376

Date: Sun, 10 Sep 2006 13:34:30 +0100

On Sat, Sep 09, 2006 at 01:22:25PM +0200, Stefan Fritsch wrote:
> On Saturday 09 September 2006 12:35, Lo?c Minier wrote:
> >  I think only apache was uploaded for CVE-2006-3918, and not
> > apache2. Do you intend to issue a DSA for apache2 as well?  Or
> > isn't it affected by the vulnerability?
> >
> >  This is fixed in apache2 >= 2.0.55-4.1 in unstable.
> 
> The issue is less severe for apache2 because it is much more difficult 
> to exploit: apache2 will first wait for the request timeout (usually 
> 5 minutes) before sending the problematic error message.

  I have a pending upload of Apache2 for this, but I've been
 unexpectantly busy.  I did intend it to be a day or two after
 the apache update.

  All being well I'll get it released tomorrow.  If not it will
 have to be midweek.

Steve
--

Message #29 received at 381376-done@bugs.debian.org (full text, mbox, reply):

From: Tollef Fog Heen <tfheen@vawad.err.no>

To: 299855-done@bugs.debian.org, 349416-done@bugs.debian.org, 374160-done@bugs.debian.org, 380182-done@bugs.debian.org, 381376-done@bugs.debian.org, control@bugs.debian.org

Subject: Fixed in NMU

Date: Fri, 06 Oct 2006 18:44:50 +0200

tag 299855 - fixed
tag 349416 - fixed
tag 374160 - fixed
tag 380182 - fixed
tag 381376 - fixed
thanks

Those are fixed in an NMU which was accepted by the maintainer, so closing properly.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 5 Aug 2006 21:35:53 +0000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: source i386 all
Version: 2.0.55-4.1
Distribution: unstable
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Steve Kemp <skx@debian.org>
Description: 
 apache2    - next generation, scalable, extendable web server
 apache2-common - next generation, scalable, extendable web server
 apache2-doc - documentation for apache2
 apache2-mpm-perchild - experimental high speed perchild threaded model for Apache2
 apache2-mpm-prefork - traditional model for Apache2
 apache2-mpm-worker - high speed threaded model for Apache2
 apache2-prefork-dev - development headers for apache2
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers
 libapr0    - the Apache Portable Runtime
 libapr0-dev - development headers for libapr
Closes: 299855 349416 374160 380182 381376
Changes: 
 apache2 (2.0.55-4.1) unstable; urgency=high
 .
   * Non-maintainer upload.  Urgency set to high due to security fixes.
   * Added '052_mod_rewrite_CVE-2006-3747' to fix the off-by-one bug in
     mod_rewrite.
     [CVE-2006-3747].  (Closes: #380182)
   * Added '053_restore_prefix_fix' to allow rebuilding from source.
     (Closes: #374160)
   * Added '054_apr_sendfile' to allow building for Hurd.
     (Closes: #349416)
   * Added '055_expect_CVE-2006-3918' to fix XSS attack in Expect headers.
     [CVE-2006-3918].  (Closes: #381376)
   * Added bash-completion script from Guillaume Rousse.
     (Closes: #299855)
Files: 
 223b02dffbc296dcf0855cae7d6f6859 1134 net optional apache2_2.0.55-4.1.dsc
 34cac9f7ea8697a56ee130560f687af9 116470 net optional apache2_2.0.55-4.1.diff.gz
 40c4f5ddc6e647fcc8abe4804903ead6 2123872 doc optional apache2-doc_2.0.55-4.1_all.deb
 681dff30e6b08474e6d9b49fcaa7c568 807452 net optional apache2-common_2.0.55-4.1_i386.deb
 ab6615b417ed4affe66389bbce800fe5 93222 net optional apache2-utils_2.0.55-4.1_i386.deb
 2a48688e3b47de8c7a0a6185d608fbcb 211658 net optional apache2-mpm-worker_2.0.55-4.1_i386.deb
 fdd54801157e6bd36ba68c77244596bf 212042 net optional apache2-mpm-perchild_2.0.55-4.1_i386.deb
 513ca07e0b20fb6c01c8b7694e633c10 208356 net optional apache2-mpm-prefork_2.0.55-4.1_i386.deb
 51aa0db7789049d0235a76847f9bae4d 170694 devel optional apache2-prefork-dev_2.0.55-4.1_i386.deb
 101040cfbdab20d7905c4b2715dc145c 171446 devel optional apache2-threaded-dev_2.0.55-4.1_i386.deb
 8903bed1cae49fd6cbdbb257529e3bf5 137450 net optional libapr0_2.0.55-4.1_i386.deb
 f52a39811ae1212260eb2f2011135291 266536 libdevel optional libapr0-dev_2.0.55-4.1_i386.deb
 83ef811301c7bfe380ae939a3a73cf72 35604 web optional apache2_2.0.55-4.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE1RIKwM/Gs81MDZ0RAm6OAJ989piJWwpIaxKGfohSvyaxI0KsfwCeLThA
k8Ldo9vjUYbm86AnH4D2Doo=
=+WoX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.