Bug#453783: marked as done (apache2: CVE-2007-4465)

From: Debian Bug Tracking System <owner(at)bugs.debian.org>
Date: Thu Jan 31 2008 - 03:06:06 EST

Your message dated Thu, 31 Jan 2008 07:52:14 +0000 with message-id <E1JKUDW-00083f-Oj@ries.debian.org> and subject line Bug#453783: fixed in apache2 2.2.3-4+etch4 has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.)

Debian bug tracking system administrator (administrator, Debian Bugs database)

attached mail follows:

---

Package: apache2
Severity: grave
Justification: user security hole

Seems to me that Debian (sarge or etch or even sid) apache packages are not yet patched against

  http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465

Seems to me that the obvious workarounds of turning Indexes off or having an index.html everywhere, protects just fine; and wonder why Apache does not say so.

Cheers,

Paul Szabo psz(at)maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia

• System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-spm1.11 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

  attached mail follows:

  ---

Source: apache2
Source-Version: 2.2.3-4+etch4

We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive:

apache2-doc_2.2.3-4+etch4_all.deb
  to pool/main/a/apache2/apache2-doc_2.2.3-4+etch4_all.deb apache2-mpm-event_2.2.3-4+etch4_i386.deb   to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch4_i386.deb apache2-mpm-perchild_2.2.3-4+etch4_all.deb   to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch4_all.deb apache2-mpm-prefork_2.2.3-4+etch4_i386.deb   to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch4_i386.deb apache2-mpm-worker_2.2.3-4+etch4_i386.deb   to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch4_i386.deb apache2-prefork-dev_2.2.3-4+etch4_i386.deb   to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch4_i386.deb apache2-src_2.2.3-4+etch4_all.deb
  to pool/main/a/apache2/apache2-src_2.2.3-4+etch4_all.deb apache2-threaded-dev_2.2.3-4+etch4_i386.deb   to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch4_i386.deb apache2-utils_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.3-4+etch4_i386.deb apache2.2-common_2.2.3-4+etch4_i386.deb
  to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch4_i386.deb apache2_2.2.3-4+etch4.diff.gz
  to pool/main/a/apache2/apache2_2.2.3-4+etch4.diff.gz apache2_2.2.3-4+etch4.dsc
  to pool/main/a/apache2/apache2_2.2.3-4+etch4.dsc apache2_2.2.3-4+etch4_all.deb
  to pool/main/a/apache2/apache2_2.2.3-4+etch4_all.deb

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 453783@bugs.debian.org, and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 27 Jan 2008 19:05:30 +0100
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild Architecture: source all i386
Version: 2.2.3-4+etch4
Distribution: stable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Stefan Fritsch <sf@debian.org> Description:
 apache2 - Next generation, scalable, extendable web server

 apache2-doc - documentation for apache2
 apache2-mpm-event - Event driven model for Apache HTTPD 2.1
 apache2-mpm-perchild - Transitional package - please remove
 apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
 apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
 apache2-prefork-dev - development headers for apache2
 apache2-src - Apache source code
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers

 apache2.2-common - Next generation, scalable, extendable web server Closes: 399776 421557 453630 453783
Changes:
 apache2 (2.2.3-4+etch4) stable; urgency=low  .

• Fix various cross site scripting vulnerabilities with browsers that do not conform to RFC 2616: Apache now adds explicit ContentType and Charset headers to the output of various modules, even if AddDefaultCharset is commented out. This includes directory indexes generated by mod_autoindex and mod_proxy_ftp, which are now marked as iso-8859-1 by default. (CVE-2007-4465, CVE-2008-0005, closes: #453783) To allow to specify the character set for the directory indexes, the Charset and Type IndexOptions and the ProxyFtpDirCharset directive have been backported from 2.2.8. If you use mod_autoindex and use UTF-8 for your filenames, you should add Charset=UTF-8 to the IndexOptions line in /etc/apache2/apache2.conf . If you use mod_proxy_ftp, the default charset can be set with the ProxyFtpDirCharset directive in /etc/apache2/mods-available/proxy.conf . ProxyFtpDirCharset can also be used inside <Proxy ...> </Proxy> blocks to set the charset for specific servers.
• Reduce memory usage of chunk filter and ap_rwrite/ap_rflush (Closes: #399776, #421557)
• More minor security fixes:
  • XSS in mod_imagemap (CVE-2007-5000)
  • XSS in mod_proxy_balancer's balancer manager (CVE-2007-6421)
  • XSS in HTTP method in 413 error message (CVE-2007-6203)
  • possible crash in mod_proxy_balancer's balancer manager (CVE-2007-6422)
• Fix mod_proxy_balancer configuration file parsing (closes: #453630).
• Don't ship NEWS.Debian with apache2-utils as it affects only the server. Remove bogus reference to 2.2.3-5 from README.Debian, and add note about MSIE SSL workaround. Files: 7a9f7cae5c4368048798889955526454 1068 web optional apache2_2.2.3-4+etch4.dsc 968d61aa99c002e26f9716ba30668311 119551 web optional apache2_2.2.3-4+etch4.diff.gz c653dbf159be545ea5f4150349432702 963826 web optional apache2.2-common_2.2.3-4+etch4_i386.deb fcee959fa33420648a00c70127022974 423734 web optional apache2-mpm-worker_2.2.3-4+etch4_i386.deb ab752e1733e8d807ef6e6f070942e892 419912 web optional apache2-mpm-prefork_2.2.3-4+etch4_i386.deb 266d8e5f5f43d8ea1ed5eddd793e283a 424260 web optional apache2-mpm-event_2.2.3-4+etch4_i386.deb 02d5d921ff18d6f669baa75978cfaabb 341652 web optional apache2-utils_2.2.3-4+etch4_i386.deb d5505286937f678397f6c3e8cc734a43 408130 devel optional apache2-prefork-dev_2.2.3-4+etch4_i386.deb 83cd44960ce9e8fef3d205b81c25ed30 408814 devel optional apache2-threaded-dev_2.2.3-4+etch4_i386.deb e36c2d1d3f3672e737714b11a5b4267a 274740 web optional apache2-mpm-perchild_2.2.3-4+etch4_all.deb c751eb38da32683f6402cce6bf9c52be 41442 web optional apache2_2.2.3-4+etch4_all.deb a336153800f26c8875170b20de281fc7 2209280 doc optional apache2-doc_2.2.3-4+etch4_all.deb f84520523c20161149c508f00752767a 6615728 devel extra apache2-src_2.2.3-4+etch4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHnMzMbxelr8HyTqQRAnz9AJ0fo83STQrPCTqt3uAhr6PTJ59xzgCgna8l 3VZD992mATegUXxekL6UmEw=
=p49f
-----END PGP SIGNATURE-----

-- 
To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Thu Jan 31 03:07:49 2008