From a24567fbc43f221b14e805f9bc0b7c6d16911c46 Mon Sep 17 00:00:00 2001 From: Alex Legler Date: Sun, 8 Mar 2015 22:02:38 +0100 Subject: Import existing advisories --- glsa-200602-03.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 glsa-200602-03.xml (limited to 'glsa-200602-03.xml') diff --git a/glsa-200602-03.xml b/glsa-200602-03.xml new file mode 100644 index 00000000..01591086 --- /dev/null +++ b/glsa-200602-03.xml @@ -0,0 +1,101 @@ + + + + + + + Apache: Multiple vulnerabilities + + Apache can be exploited for cross-site scripting attacks and is vulnerable + to a Denial of Service attack. + + Apache + February 06, 2006 + December 30, 2007: 03 + 115324 + 118875 + remote + + + 2.0.55-r1 + 2.0.54-r16 + 1.3.34-r2 + 1.3.34-r11 + 1.3.37 + 2.0.55-r1 + + + +

+ The Apache HTTP server is one of the most popular web servers on the + Internet. mod_imap provides support for server-side image maps; mod_ssl + provides secure HTTP connections. +

+ + +

+ Apache's mod_imap fails to properly sanitize the "Referer" directive of + imagemaps in some cases, leaving the HTTP Referer header unescaped. A + flaw in mod_ssl can lead to a NULL pointer dereference if the site uses + a custom "Error 400" document. These vulnerabilities were reported by + Marc Cox and Hartmut Keil, respectively. +

+ + +

+ A remote attacker could exploit mod_imap to inject arbitrary HTML or + JavaScript into a user's browser to gather sensitive information. + Attackers could also cause a Denial of Service on hosts using the SSL + module (Apache 2.0.x only). +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Apache users should upgrade to the latest version, depending on + whether they still use the old configuration style + (/etc/apache/conf/*.conf) or the new one (/etc/apache2/httpd.conf). +

+

+ 2.0.x users, new style config: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.0.55-r1" +

+ 2.0.x users, old style config: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "=www-servers/apache-2.0.54-r16" +

+ 1.x users, new style config: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "=www-servers/apache-1.3.34-r11" +

+ 1.x users, old style config: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose "=www-servers/apache-1.3.34-r2" + + + CVE-2005-3352 + CVE-2005-3357 + + + koon + + + frilled + + + jaervosz + + -- cgit v1.2.3-65-gdbad