Bug#453783: marked as done (apache2: CVE-2007-4465)

Your message dated Sat, 16 Feb 2008 12:17:00 +0000 with message-id <E1JQLyW-0000FM-VV@ries.debian.org> and subject line Bug#453783: fixed in apache2 2.2.3-4+etch4 has caused the Debian Bug report #453783, regarding apache2: CVE-2007-4465
to be marked as done.

This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.)

-- 
453783: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=453783
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

attached mail follows:

Package: apache2 Severity: grave Justification: user security hole Seems to me that Debian (sarge or etch or even sid) apache packages are not yet patched against http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465 Seems to me that the obvious workarounds of turning Indexes off or having an index.html everywhere, protects just fine; and wonder why Apache does not say so. Cheers, Paul Szabo psz(at)maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-spm1.11 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

attached mail follows:

Source: apache2 Source-Version: 2.2.3-4+etch4 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive: apache2-doc_2.2.3-4+etch4_all.deb to pool/main/a/apache2/apache2-doc_2.2.3-4+etch4_all.deb apache2-mpm-event_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch4_i386.deb apache2-mpm-perchild_2.2.3-4+etch4_all.deb to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch4_all.deb apache2-mpm-prefork_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch4_i386.deb apache2-mpm-worker_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch4_i386.deb apache2-prefork-dev_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch4_i386.deb apache2-src_2.2.3-4+etch4_all.deb to pool/main/a/apache2/apache2-src_2.2.3-4+etch4_all.deb apache2-threaded-dev_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch4_i386.deb apache2-utils_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2-utils_2.2.3-4+etch4_i386.deb apache2.2-common_2.2.3-4+etch4_i386.deb to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch4_i386.deb apache2_2.2.3-4+etch4.diff.gz to pool/main/a/apache2/apache2_2.2.3-4+etch4.diff.gz apache2_2.2.3-4+etch4.dsc to pool/main/a/apache2/apache2_2.2.3-4+etch4.dsc apache2_2.2.3-4+etch4_all.deb to pool/main/a/apache2/apache2_2.2.3-4+etch4_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 453783@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 27 Jan 2008 19:05:30 +0100 Source: apache2 Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild Architecture: source all i386 Version: 2.2.3-4+etch4 Distribution: stable Urgency: low Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Stefan Fritsch <sf@debian.org> Description: apache2 - Next generation, scalable, extendable web server apache2-doc - documentation for apache2 apache2-mpm-event - Event driven model for Apache HTTPD 2.1 apache2-mpm-perchild - Transitional package - please remove apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1 apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1 apache2-prefork-dev - development headers for apache2 apache2-src - Apache source code apache2-threaded-dev - development headers for apache2 apache2-utils - utility programs for webservers apache2.2-common - Next generation, scalable, extendable web server Closes: 399776 421557 453630 453783 Changes: apache2 (2.2.3-4+etch4) stable; urgency=low .
* Fix various cross site scripting vulnerabilities with browsers that do not
conform to RFC 2616: Apache now adds explicit ContentType and Charset headers to the output of various modules, even if AddDefaultCharset is commented out. This includes directory indexes generated by mod_autoindex and mod_proxy_ftp, which are now marked as iso-8859-1 by default. (CVE-2007-4465, CVE-2008-0005, closes: #453783) To allow to specify the character set for the directory indexes, the Charset and Type IndexOptions and the ProxyFtpDirCharset directive have been backported from 2.2.8. If you use mod_autoindex and use UTF-8 for your filenames, you should add Charset=UTF-8 to the IndexOptions line in /etc/apache2/apache2.conf . If you use mod_proxy_ftp, the default charset can be set with the ProxyFtpDirCharset directive in /etc/apache2/mods-available/proxy.conf . ProxyFtpDirCharset can also be used inside <Proxy ...> </Proxy> blocks to set the charset for specific servers.
* Reduce memory usage of chunk filter and ap_rwrite/ap_rflush
(Closes: #399776, #421557)
* More minor security fixes:
- XSS in mod_imagemap (CVE-2007-5000) - XSS in mod_proxy_balancer's balancer manager (CVE-2007-6421) - XSS in HTTP method in 413 error message (CVE-2007-6203) - possible crash in mod_proxy_balancer's balancer manager (CVE-2007-6422)
* Fix mod_proxy_balancer configuration file parsing (closes: #453630).
* Don't ship NEWS.Debian with apache2-utils as it affects only the server.
Remove bogus reference to 2.2.3-5 from README.Debian, and add note about MSIE SSL workaround. Files: 7a9f7cae5c4368048798889955526454 1068 web optional apache2_2.2.3-4+etch4.dsc 968d61aa99c002e26f9716ba30668311 119551 web optional apache2_2.2.3-4+etch4.diff.gz c653dbf159be545ea5f4150349432702 963826 web optional apache2.2-common_2.2.3-4+etch4_i386.deb fcee959fa33420648a00c70127022974 423734 web optional apache2-mpm-worker_2.2.3-4+etch4_i386.deb ab752e1733e8d807ef6e6f070942e892 419912 web optional apache2-mpm-prefork_2.2.3-4+etch4_i386.deb 266d8e5f5f43d8ea1ed5eddd793e283a 424260 web optional apache2-mpm-event_2.2.3-4+etch4_i386.deb 02d5d921ff18d6f669baa75978cfaabb 341652 web optional apache2-utils_2.2.3-4+etch4_i386.deb d5505286937f678397f6c3e8cc734a43 408130 devel optional apache2-prefork-dev_2.2.3-4+etch4_i386.deb 83cd44960ce9e8fef3d205b81c25ed30 408814 devel optional apache2-threaded-dev_2.2.3-4+etch4_i386.deb e36c2d1d3f3672e737714b11a5b4267a 274740 web optional apache2-mpm-perchild_2.2.3-4+etch4_all.deb c751eb38da32683f6402cce6bf9c52be 41442 web optional apache2_2.2.3-4+etch4_all.deb a336153800f26c8875170b20de281fc7 2209280 doc optional apache2-doc_2.2.3-4+etch4_all.deb f84520523c20161149c508f00752767a 6615728 devel extra apache2-src_2.2.3-4+etch4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHnMzMbxelr8HyTqQRAnz9AJ0fo83STQrPCTqt3uAhr6PTJ59xzgCgna8l 3VZD992mATegUXxekL6UmEw= =p49f -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Received on Sat Feb 16 08:20:40 2008

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek