Debian Bug report logs -
#381376
CVE-2006-3918: Missing Expect header sanitation may lead to XSS vulnerabilities
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Thu, 3 Aug 2006 23:18:02 UTC
Severity: grave
Tags: security
Found in version apache2/2.0.55-4
Done: Tollef Fog Heen <tfheen@vawad.err.no>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#381376
; Package apache2
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: apache2
Version: 2.0.55-4
Severity: grave
Tags: security
Justification: user security hole
CVE-2006-3918 reads:
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1
before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0
before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect
header from an HTTP request when it is reflected back in an error
message, which might allow cross-site scripting (XSS) style attacks
using web client components that can send arbitrary headers in
requests, as demonstrated using a Flash SWF file.
Tags added: fixed
Request was from Steve Kemp <skx@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#381376
; Package apache2
.
(full text, mbox, link).
Acknowledgement sent to Loïc Minier <lool@dooz.org>
:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(full text, mbox, link).
Message #12 received at 381376@bugs.debian.org (full text, mbox, reply):
Hi,
I think only apache was uploaded for CVE-2006-3918, and not apache2.
Do you intend to issue a DSA for apache2 as well? Or isn't it affected
by the vulnerability?
This is fixed in apache2 >= 2.0.55-4.1 in unstable.
Thanks,
--
Loïc Minier <lool@dooz.org>
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#381376
; Package apache2
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(full text, mbox, link).
Message #17 received at 381376@bugs.debian.org (full text, mbox, reply):
On Saturday 09 September 2006 12:35, Loïc Minier wrote:
> I think only apache was uploaded for CVE-2006-3918, and not
> apache2. Do you intend to issue a DSA for apache2 as well? Or
> isn't it affected by the vulnerability?
>
> This is fixed in apache2 >= 2.0.55-4.1 in unstable.
The issue is less severe for apache2 because it is much more difficult
to exploit: apache2 will first wait for the request timeout (usually
5 minutes) before sending the problematic error message.
Cheers,
Stefan
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#381376
; Package apache2
.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(full text, mbox, link).
Message #22 received at 381376@bugs.debian.org (full text, mbox, reply):
On Sat, Sep 09, 2006 at 01:22:25PM +0200, Stefan Fritsch wrote:
> On Saturday 09 September 2006 12:35, Lo?c Minier wrote:
> > I think only apache was uploaded for CVE-2006-3918, and not
> > apache2. Do you intend to issue a DSA for apache2 as well? Or
> > isn't it affected by the vulnerability?
> >
> > This is fixed in apache2 >= 2.0.55-4.1 in unstable.
>
> The issue is less severe for apache2 because it is much more difficult
> to exploit: apache2 will first wait for the request timeout (usually
> 5 minutes) before sending the problematic error message.
I have a pending upload of Apache2 for this, but I've been
unexpectantly busy. I did intend it to be a day or two after
the apache update.
All being well I'll get it released tomorrow. If not it will
have to be midweek.
Steve
--
Tags removed: fixed
Request was from Tollef Fog Heen <tfheen@vawad.err.no>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Tollef Fog Heen <tfheen@vawad.err.no>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #29 received at 381376-done@bugs.debian.org (full text, mbox, reply):
tag 299855 - fixed
tag 349416 - fixed
tag 374160 - fixed
tag 380182 - fixed
tag 381376 - fixed
thanks
Those are fixed in an NMU which was accepted by the maintainer, so closing properly.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 5 Aug 2006 21:35:53 +0000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: source i386 all
Version: 2.0.55-4.1
Distribution: unstable
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Steve Kemp <skx@debian.org>
Description:
apache2 - next generation, scalable, extendable web server
apache2-common - next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-mpm-perchild - experimental high speed perchild threaded model for Apache2
apache2-mpm-prefork - traditional model for Apache2
apache2-mpm-worker - high speed threaded model for Apache2
apache2-prefork-dev - development headers for apache2
apache2-threaded-dev - development headers for apache2
apache2-utils - utility programs for webservers
libapr0 - the Apache Portable Runtime
libapr0-dev - development headers for libapr
Closes: 299855 349416 374160 380182 381376
Changes:
apache2 (2.0.55-4.1) unstable; urgency=high
.
* Non-maintainer upload. Urgency set to high due to security fixes.
* Added '052_mod_rewrite_CVE-2006-3747' to fix the off-by-one bug in
mod_rewrite.
[CVE-2006-3747]. (Closes: #380182)
* Added '053_restore_prefix_fix' to allow rebuilding from source.
(Closes: #374160)
* Added '054_apr_sendfile' to allow building for Hurd.
(Closes: #349416)
* Added '055_expect_CVE-2006-3918' to fix XSS attack in Expect headers.
[CVE-2006-3918]. (Closes: #381376)
* Added bash-completion script from Guillaume Rousse.
(Closes: #299855)
Files:
223b02dffbc296dcf0855cae7d6f6859 1134 net optional apache2_2.0.55-4.1.dsc
34cac9f7ea8697a56ee130560f687af9 116470 net optional apache2_2.0.55-4.1.diff.gz
40c4f5ddc6e647fcc8abe4804903ead6 2123872 doc optional apache2-doc_2.0.55-4.1_all.deb
681dff30e6b08474e6d9b49fcaa7c568 807452 net optional apache2-common_2.0.55-4.1_i386.deb
ab6615b417ed4affe66389bbce800fe5 93222 net optional apache2-utils_2.0.55-4.1_i386.deb
2a48688e3b47de8c7a0a6185d608fbcb 211658 net optional apache2-mpm-worker_2.0.55-4.1_i386.deb
fdd54801157e6bd36ba68c77244596bf 212042 net optional apache2-mpm-perchild_2.0.55-4.1_i386.deb
513ca07e0b20fb6c01c8b7694e633c10 208356 net optional apache2-mpm-prefork_2.0.55-4.1_i386.deb
51aa0db7789049d0235a76847f9bae4d 170694 devel optional apache2-prefork-dev_2.0.55-4.1_i386.deb
101040cfbdab20d7905c4b2715dc145c 171446 devel optional apache2-threaded-dev_2.0.55-4.1_i386.deb
8903bed1cae49fd6cbdbb257529e3bf5 137450 net optional libapr0_2.0.55-4.1_i386.deb
f52a39811ae1212260eb2f2011135291 266536 libdevel optional libapr0-dev_2.0.55-4.1_i386.deb
83ef811301c7bfe380ae939a3a73cf72 35604 web optional apache2_2.0.55-4.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFE1RIKwM/Gs81MDZ0RAm6OAJ989piJWwpIaxKGfohSvyaxI0KsfwCeLThA
k8Ldo9vjUYbm86AnH4D2Doo=
=+WoX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 18 Jun 2007 18:56:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:20:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.