Hosting Provided By

Bug#453783: apache2: CVE-2007-4465

From: Stefan Fritsch <sf(at)sfritsch.de>
Date: Sat Dec 01 2007 - 04:37:10 EST

severity 453783 normal
tags 453783 security
found 453783 2.2.3-4
fixed 453783 2.2.6-1
thanks

Hi,

On Saturday 01 December 2007, Paul Szabo wrote:
> Seems to me that Debian (sarge or etch or even sid) apache packages
> are not yet patched against
>
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
>
> Seems to me that the obvious workarounds of turning Indexes off or
> having an index.html everywhere, protects just fine; and wonder why
> Apache does not say so.

This is actually a bug in MSIE, see CVE-2006-5152. Sid and lenny have the workaround, but there is currently no plan to backport it to sarge and etch (as it is of low impact).

Besides switching directory indexes of, setting AddDefaultCharset also protects from the issue. AddDefaultCharset is on in the default configurations in sarge and etch.

Cheers,
Stefan

-- 
To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Sat Dec 1 04:45:28 2007

This message: [ Message body ]
Next message: Paul Szabo: "Bug#453783: apache2: CVE-2007-4465"
Previous message: Debian Bug Tracking System: "Processed: Re: Bug#453783: apache2: CVE-2007-4465"
In reply to: Paul Szabo: "Bug#453783: apache2: CVE-2007-4465"
Next in thread: Debian Bug Tracking System: "Processed: Re: Bug#453783: apache2: CVE-2007-4465"
Reply: Debian Bug Tracking System: "Processed: Re: Bug#453783: apache2: CVE-2007-4465"
Reply: Paul Szabo: "Bug#453783: apache2: CVE-2007-4465"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 02:59:06 EDT