Debian Bug report logs -
#453783
apache2: CVE-2007-4465
Reported by: Paul Szabo <psz@maths.usyd.edu.au>
Date: Sat, 1 Dec 2007 08:39:01 UTC
Severity: important
Tags: etch, security
Found in version apache2/2.2.3-4
Fixed in versions apache2/2.2.6-1, apache2/2.2.3-4+etch4
Done: Stefan Fritsch <sf@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#453783
; Package apache2
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
New Bug report received and forwarded. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: apache2
Severity: grave
Justification: user security hole
Seems to me that Debian (sarge or etch or even sid) apache packages are
not yet patched against
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
Seems to me that the obvious workarounds of turning Indexes off or
having an index.html everywhere, protects just fine; and wonder why
Apache does not say so.
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm1.11
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#453783
; Package apache2
.
(full text, mbox, link).
Acknowledgement sent to 453783@bugs.debian.org, sf@sfritsch.de
:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(full text, mbox, link).
Message #10 received at 453783@bugs.debian.org (full text, mbox, reply):
severity 453783 normal
tags 453783 security
found 453783 2.2.3-4
fixed 453783 2.2.6-1
thanks
Hi,
On Saturday 01 December 2007, Paul Szabo wrote:
> Seems to me that Debian (sarge or etch or even sid) apache packages
> are not yet patched against
>
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
>
> Seems to me that the obvious workarounds of turning Indexes off or
> having an index.html everywhere, protects just fine; and wonder why
> Apache does not say so.
This is actually a bug in MSIE, see CVE-2006-5152. Sid and lenny have
the workaround, but there is currently no plan to backport it to
sarge and etch (as it is of low impact).
Besides switching directory indexes of, setting AddDefaultCharset also
protects from the issue. AddDefaultCharset is on in the default
configurations in sarge and etch.
Cheers,
Stefan
Severity set to `normal' from `grave'
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org
.
(Sat, 01 Dec 2007 09:42:14 GMT) (full text, mbox, link).
Tags added: security
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org
.
(Sat, 01 Dec 2007 09:42:15 GMT) (full text, mbox, link).
Bug marked as found in version 2.2.3-4.
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org
.
(Sat, 01 Dec 2007 09:42:16 GMT) (full text, mbox, link).
Bug marked as fixed in version 2.2.6-1.
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org
.
(Sat, 01 Dec 2007 09:42:16 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#453783
; Package apache2
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(full text, mbox, link).
Message #23 received at 453783@bugs.debian.org (full text, mbox, reply):
Dear Stefan,
> This is actually a bug in MSIE, see CVE-2006-5152.
Not a bug in IE only, I have a demo that exploits it under Firefox.
(In fact my demo does not seem to work for IE, yet...)
Not really related to CVE-2006-5152. In fact that is a non-issue: the
CVE references my posts, but fails to reference my retraction
http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049828.html
> ... no plan to backport ... it is of low impact.
I do not think that XSS and cookie theft (thus access to all data
protected by web login) is of low impact.
> ... setting AddDefaultCharset also protects from the issue.
> AddDefaultCharset is on in the default configurations ...
Thanks for that other workaround: yes it seems to protect my machines.
Now I am puzzled why AddDefaultCharset was commented out in my configs.
Still puzzled why Apache did not mention these workarounds.
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#453783
; Package apache2
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(full text, mbox, link).
Message #28 received at 453783@bugs.debian.org (full text, mbox, reply):
Hi Paul,
On Saturday 01 December 2007, you wrote:
> > This is actually a bug in MSIE, see CVE-2006-5152.
>
> Not a bug in IE only, I have a demo that exploits it under Firefox.
> (In fact my demo does not seem to work for IE, yet...)
If you can exploit that with Firefox, Firefox should be fixed. Can you
give more details? I would be very interested.
> Not really related to CVE-2006-5152. In fact that is a non-issue:
> the CVE references my posts, but fails to reference my retraction
> http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049
>828.html
Any broswer that interprets ascii as utf7 without being told to do so
is severely buggy. And CVE-2006-5152 is about MSIE, not about Apache.
Your retraction was about Apache.
> > ... no plan to backport ... it is of low impact.
>
> I do not think that XSS and cookie theft (thus access to all data
> protected by web login) is of low impact.
If it affects only one buggy browser, it's low impact. And since the
patch for the workaround is not that small (and is changing default
behaviour and is adding a new config directive), I didn't want to
backport it to stable. If it affects more browsers, I might
reconsider.
> > ... setting AddDefaultCharset also protects from the issue.
> > AddDefaultCharset is on in the default configurations ...
>
> Thanks for that other workaround: yes it seems to protect my
> machines. Now I am puzzled why AddDefaultCharset was commented out
> in my configs. Still puzzled why Apache did not mention these
> workarounds.
AddDefaultCharset has some often unwanted side effects. It overrides
the charset in meta http-equiv tags. See
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397886
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=415775
It is not the default anymore in lenny and sid.
Cheers,
Stefan
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#453783
; Package apache2
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(full text, mbox, link).
Message #33 received at 453783@bugs.debian.org (full text, mbox, reply):
Dear Stefan,
> If you can exploit that with Firefox, Firefox should be fixed. Can you
> give more details? I would be very interested.
Will do, offline (because it affects the main web login site of my Uni).
Essentially, I found that Firefox will inherit the charset of the parent
page, when that had been selected manually (does not inherit the charset
specified in headers or meta). I guess this is a "new" bug in Firefox,
maybe they should be told...
> Any broswer that interprets ascii as utf7 without being told to do so
> is severely buggy. And CVE-2006-5152 is about MSIE, not about Apache.
> Your retraction was about Apache.
So IE "encoding autoselect" is severely buggy: I almost agree.
Whatever people think CVE-2006-5152 is about, I meant my posts to be
about Apache. (No use trying to get MS to fix IE.)
> If it affects only one buggy browser, it's low impact. ...
If that buggy browser is IE, used by 90% of the (deluded) population,
then is it not low impact.
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#453783
; Package apache2
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(full text, mbox, link).
Message #38 received at 453783@bugs.debian.org (full text, mbox, reply):
Dear Paul,
thanks for the information.
On Saturday 01 December 2007, you wrote:
> > If you can exploit that with Firefox, Firefox should be fixed.
> > Can you give more details? I would be very interested.
>
> Will do, offline (because it affects the main web login site of my
> Uni). Essentially, I found that Firefox will inherit the charset of
> the parent page, when that had been selected manually (does not
> inherit the charset specified in headers or meta). I guess this is
> a "new" bug in Firefox, maybe they should be told...
This would require some social engineering but could probably be
exploited in some cases. I think reporting it to the Firefox bugzilla
would be a good idea.
> > If it affects only one buggy browser, it's low impact. ...
>
> If that buggy browser is IE, used by 90% of the (deluded)
> population, then is it not low impact.
I have commited the patch to our SVN repository for etch. It will
probably be released with etch r3 (or maybe r2, if that is delayed
further). I still do not think it is important enough for a security
advisory.
Cheers,
Stefan
Severity set to `important' from `normal'
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org
.
(Tue, 04 Dec 2007 22:03:47 GMT) (full text, mbox, link).
Tags added: pending, etch
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org
.
(Tue, 04 Dec 2007 22:03:48 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#453783
; Package apache2
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(full text, mbox, link).
Message #47 received at 453783@bugs.debian.org (full text, mbox, reply):
Dear Stefan,
> ... I think reporting it to the Firefox bugzilla would be a good idea.
Had done so:
https://bugzilla.mozilla.org/show_bug.cgi?id=406777
https://bugzilla.mozilla.org/show_bug.cgi?id=356280
>>> If it affects only one buggy browser, it's low impact. ...
>> If that buggy browser is IE ...
> ... I still do not think it is important enough for a security
> advisory.
So far I failed in producing an exploit for IE... even though that is
expected/reported to be easy! (The Firefox bug "trumps" any fix you may
make.)
Thanks,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#453783
; Package apache2
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(full text, mbox, link).
Message #52 received at 453783@bugs.debian.org (full text, mbox, reply):
Just for completeness:
On Tuesday 04 December 2007, Paul Szabo wrote:
> > ... I think reporting it to the Firefox bugzilla would be a good
> > idea.
>
> Had done so:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=406777
> https://bugzilla.mozilla.org/show_bug.cgi?id=356280
Reply sent to Stefan Fritsch <sf@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #57 received at 453783-close@bugs.debian.org (full text, mbox, reply):
Source: apache2
Source-Version: 2.2.3-4+etch4
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-doc_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2-doc_2.2.3-4+etch4_all.deb
apache2-mpm-event_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch4_i386.deb
apache2-mpm-perchild_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch4_all.deb
apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
apache2-mpm-worker_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch4_i386.deb
apache2-prefork-dev_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch4_i386.deb
apache2-src_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2-src_2.2.3-4+etch4_all.deb
apache2-threaded-dev_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch4_i386.deb
apache2-utils_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-utils_2.2.3-4+etch4_i386.deb
apache2.2-common_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch4_i386.deb
apache2_2.2.3-4+etch4.diff.gz
to pool/main/a/apache2/apache2_2.2.3-4+etch4.diff.gz
apache2_2.2.3-4+etch4.dsc
to pool/main/a/apache2/apache2_2.2.3-4+etch4.dsc
apache2_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2_2.2.3-4+etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 453783@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 27 Jan 2008 19:05:30 +0100
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-4+etch4
Distribution: stable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-mpm-event - Event driven model for Apache HTTPD 2.1
apache2-mpm-perchild - Transitional package - please remove
apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
apache2-prefork-dev - development headers for apache2
apache2-src - Apache source code
apache2-threaded-dev - development headers for apache2
apache2-utils - utility programs for webservers
apache2.2-common - Next generation, scalable, extendable web server
Closes: 399776 421557 453630 453783
Changes:
apache2 (2.2.3-4+etch4) stable; urgency=low
.
* Fix various cross site scripting vulnerabilities with browsers that do not
conform to RFC 2616: Apache now adds explicit ContentType and Charset
headers to the output of various modules, even if AddDefaultCharset is
commented out. This includes directory indexes generated by mod_autoindex
and mod_proxy_ftp, which are now marked as iso-8859-1 by default.
(CVE-2007-4465, CVE-2008-0005, closes: #453783)
To allow to specify the character set for the directory indexes, the
Charset and Type IndexOptions and the ProxyFtpDirCharset directive have
been backported from 2.2.8.
If you use mod_autoindex and use UTF-8 for your filenames, you should add
Charset=UTF-8 to the IndexOptions line in /etc/apache2/apache2.conf .
If you use mod_proxy_ftp, the default charset can be set with the
ProxyFtpDirCharset directive in /etc/apache2/mods-available/proxy.conf .
ProxyFtpDirCharset can also be used inside <Proxy ...> </Proxy> blocks to
set the charset for specific servers.
* Reduce memory usage of chunk filter and ap_rwrite/ap_rflush
(Closes: #399776, #421557)
* More minor security fixes:
- XSS in mod_imagemap (CVE-2007-5000)
- XSS in mod_proxy_balancer's balancer manager (CVE-2007-6421)
- XSS in HTTP method in 413 error message (CVE-2007-6203)
- possible crash in mod_proxy_balancer's balancer manager (CVE-2007-6422)
* Fix mod_proxy_balancer configuration file parsing (closes: #453630).
* Don't ship NEWS.Debian with apache2-utils as it affects only the server.
Remove bogus reference to 2.2.3-5 from README.Debian, and add note about
MSIE SSL workaround.
Files:
7a9f7cae5c4368048798889955526454 1068 web optional apache2_2.2.3-4+etch4.dsc
968d61aa99c002e26f9716ba30668311 119551 web optional apache2_2.2.3-4+etch4.diff.gz
c653dbf159be545ea5f4150349432702 963826 web optional apache2.2-common_2.2.3-4+etch4_i386.deb
fcee959fa33420648a00c70127022974 423734 web optional apache2-mpm-worker_2.2.3-4+etch4_i386.deb
ab752e1733e8d807ef6e6f070942e892 419912 web optional apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
266d8e5f5f43d8ea1ed5eddd793e283a 424260 web optional apache2-mpm-event_2.2.3-4+etch4_i386.deb
02d5d921ff18d6f669baa75978cfaabb 341652 web optional apache2-utils_2.2.3-4+etch4_i386.deb
d5505286937f678397f6c3e8cc734a43 408130 devel optional apache2-prefork-dev_2.2.3-4+etch4_i386.deb
83cd44960ce9e8fef3d205b81c25ed30 408814 devel optional apache2-threaded-dev_2.2.3-4+etch4_i386.deb
e36c2d1d3f3672e737714b11a5b4267a 274740 web optional apache2-mpm-perchild_2.2.3-4+etch4_all.deb
c751eb38da32683f6402cce6bf9c52be 41442 web optional apache2_2.2.3-4+etch4_all.deb
a336153800f26c8875170b20de281fc7 2209280 doc optional apache2-doc_2.2.3-4+etch4_all.deb
f84520523c20161149c508f00752767a 6615728 devel extra apache2-src_2.2.3-4+etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHnMzMbxelr8HyTqQRAnz9AJ0fo83STQrPCTqt3uAhr6PTJ59xzgCgna8l
3VZD992mATegUXxekL6UmEw=
=p49f
-----END PGP SIGNATURE-----
Reply sent to Stefan Fritsch <sf@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #62 received at 453783-close@bugs.debian.org (full text, mbox, reply):
Source: apache2
Source-Version: 2.2.3-4+etch4
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-doc_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2-doc_2.2.3-4+etch4_all.deb
apache2-mpm-event_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch4_i386.deb
apache2-mpm-perchild_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch4_all.deb
apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
apache2-mpm-worker_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch4_i386.deb
apache2-prefork-dev_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch4_i386.deb
apache2-src_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2-src_2.2.3-4+etch4_all.deb
apache2-threaded-dev_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch4_i386.deb
apache2-utils_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2-utils_2.2.3-4+etch4_i386.deb
apache2.2-common_2.2.3-4+etch4_i386.deb
to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch4_i386.deb
apache2_2.2.3-4+etch4.diff.gz
to pool/main/a/apache2/apache2_2.2.3-4+etch4.diff.gz
apache2_2.2.3-4+etch4.dsc
to pool/main/a/apache2/apache2_2.2.3-4+etch4.dsc
apache2_2.2.3-4+etch4_all.deb
to pool/main/a/apache2/apache2_2.2.3-4+etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 453783@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 27 Jan 2008 19:05:30 +0100
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-4+etch4
Distribution: stable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-mpm-event - Event driven model for Apache HTTPD 2.1
apache2-mpm-perchild - Transitional package - please remove
apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
apache2-prefork-dev - development headers for apache2
apache2-src - Apache source code
apache2-threaded-dev - development headers for apache2
apache2-utils - utility programs for webservers
apache2.2-common - Next generation, scalable, extendable web server
Closes: 399776 421557 453630 453783
Changes:
apache2 (2.2.3-4+etch4) stable; urgency=low
.
* Fix various cross site scripting vulnerabilities with browsers that do not
conform to RFC 2616: Apache now adds explicit ContentType and Charset
headers to the output of various modules, even if AddDefaultCharset is
commented out. This includes directory indexes generated by mod_autoindex
and mod_proxy_ftp, which are now marked as iso-8859-1 by default.
(CVE-2007-4465, CVE-2008-0005, closes: #453783)
To allow to specify the character set for the directory indexes, the
Charset and Type IndexOptions and the ProxyFtpDirCharset directive have
been backported from 2.2.8.
If you use mod_autoindex and use UTF-8 for your filenames, you should add
Charset=UTF-8 to the IndexOptions line in /etc/apache2/apache2.conf .
If you use mod_proxy_ftp, the default charset can be set with the
ProxyFtpDirCharset directive in /etc/apache2/mods-available/proxy.conf .
ProxyFtpDirCharset can also be used inside <Proxy ...> </Proxy> blocks to
set the charset for specific servers.
* Reduce memory usage of chunk filter and ap_rwrite/ap_rflush
(Closes: #399776, #421557)
* More minor security fixes:
- XSS in mod_imagemap (CVE-2007-5000)
- XSS in mod_proxy_balancer's balancer manager (CVE-2007-6421)
- XSS in HTTP method in 413 error message (CVE-2007-6203)
- possible crash in mod_proxy_balancer's balancer manager (CVE-2007-6422)
* Fix mod_proxy_balancer configuration file parsing (closes: #453630).
* Don't ship NEWS.Debian with apache2-utils as it affects only the server.
Remove bogus reference to 2.2.3-5 from README.Debian, and add note about
MSIE SSL workaround.
Files:
7a9f7cae5c4368048798889955526454 1068 web optional apache2_2.2.3-4+etch4.dsc
968d61aa99c002e26f9716ba30668311 119551 web optional apache2_2.2.3-4+etch4.diff.gz
c653dbf159be545ea5f4150349432702 963826 web optional apache2.2-common_2.2.3-4+etch4_i386.deb
fcee959fa33420648a00c70127022974 423734 web optional apache2-mpm-worker_2.2.3-4+etch4_i386.deb
ab752e1733e8d807ef6e6f070942e892 419912 web optional apache2-mpm-prefork_2.2.3-4+etch4_i386.deb
266d8e5f5f43d8ea1ed5eddd793e283a 424260 web optional apache2-mpm-event_2.2.3-4+etch4_i386.deb
02d5d921ff18d6f669baa75978cfaabb 341652 web optional apache2-utils_2.2.3-4+etch4_i386.deb
d5505286937f678397f6c3e8cc734a43 408130 devel optional apache2-prefork-dev_2.2.3-4+etch4_i386.deb
83cd44960ce9e8fef3d205b81c25ed30 408814 devel optional apache2-threaded-dev_2.2.3-4+etch4_i386.deb
e36c2d1d3f3672e737714b11a5b4267a 274740 web optional apache2-mpm-perchild_2.2.3-4+etch4_all.deb
c751eb38da32683f6402cce6bf9c52be 41442 web optional apache2_2.2.3-4+etch4_all.deb
a336153800f26c8875170b20de281fc7 2209280 doc optional apache2-doc_2.2.3-4+etch4_all.deb
f84520523c20161149c508f00752767a 6615728 devel extra apache2-src_2.2.3-4+etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHnMzMbxelr8HyTqQRAnz9AJ0fo83STQrPCTqt3uAhr6PTJ59xzgCgna8l
3VZD992mATegUXxekL6UmEw=
=p49f
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 16 Mar 2008 07:35:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:56:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.