Bug#453783: apache2: CVE-2007-4465

Dear Stefan,

> This is actually a bug in MSIE, see CVE-2006-5152.

Not a bug in IE only, I have a demo that exploits it under Firefox. (In fact my demo does not seem to work for IE, yet...)

Not really related to CVE-2006-5152. In fact that is a non-issue: the CVE references my posts, but fails to reference my retraction http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049828.html

> ... no plan to backport ... it is of low impact.

I do not think that XSS and cookie theft (thus access to all data protected by web login) is of low impact.

> ... setting AddDefaultCharset also protects from the issue.
> AddDefaultCharset is on in the default configurations ...

Thanks for that other workaround: yes it seems to protect my machines. Now I am puzzled why AddDefaultCharset was commented out in my configs. Still puzzled why Apache did not mention these workarounds.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

Cheers,

Paul Szabo psz(at)maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia

-- 
To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org