Your message dated Tue, 10 Sep 2013 13:44:50 +0200
with message-id <[email protected]>
and subject line Re: Bug#722333: Acknowledgement (apache2 - CVE-2013-1862 -
mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server)
has caused the Debian Bug report #722333,
regarding apache2 - CVE-2013-1862 - mod_rewrite.c in the mod_rewrite module in
the Apache HTTP Server
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
722333: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=722333
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: apache2
Version: 2.2.16-6+squeeze10
Severity: important
Hi,
apache.org released a security update for CVE-2013-1862, which has been
marked as "security impact is unimportant" in security-tracker.d.n.
Please provide an updated package for oldstable and stable via
oldstable-proposed-updates and proposed-updates.
Thanks
Martin
--
Martin Zobel-Helas
Teamleiter Betrieb
Tel.: +49 (2161) 4643-196
Fax: +49 (2161) 4643-100
Email: [email protected]
pgp fingerprint 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Hohenzollernstr. 133, 41061 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
Index: CHANGES
===================================================================
--- CHANGES (revision 1469310)
+++ CHANGES (working copy)
@@ -1,8 +1,11 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.25
+ *) SECURITY: CVE-2013-1862 (cve.mitre.org)
+ mod_rewrite: Ensure that client data written to the RewriteLog is
+ escaped to prevent terminal escape sequences from entering the
+ log file. [Joe Orton]
-
Changes with Apache 2.2.24
*) SECURITY: CVE-2012-3499 (cve.mitre.org)
Index: modules/mappers/mod_rewrite.c
===================================================================
--- modules/mappers/mod_rewrite.c (revision 1469310)
+++ modules/mappers/mod_rewrite.c (working copy)
@@ -500,11 +500,11 @@
logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
"(%d) %s%s%s%s" APR_EOL_STR,
- rhost ? rhost : "UNKNOWN-HOST",
- rname ? rname : "-",
- r->user ? (*r->user ? r->user : "\"\"") : "-",
+ rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST",
+ rname ? ap_escape_logitem(r->pool, rname) : "-",
+ r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-",
current_logtime(r),
- ap_get_server_name(r),
+ ap_escape_logitem(r->pool, ap_get_server_name(r)),
(void *)(r->server),
(void *)r,
r->main ? "subreq" : "initial",
@@ -514,7 +514,7 @@
perdir ? "[perdir " : "",
perdir ? perdir : "",
perdir ? "] ": "",
- text);
+ ap_escape_logitem(r->pool, text));
nbytes = strlen(logline);
apr_file_write(conf->rewritelogfp, logline, &nbytes);
--- End Message ---
--- Begin Message ---
Version: 2.2.25
This bug only effects oldstable and stable.
--
Martin Zobel-Helas
Teamleiter Betrieb
Tel.: +49 (2161) 4643-196
Fax: +49 (2161) 4643-100
Email: [email protected]
pgp fingerprint 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Hohenzollernstr. 133, 41061 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
--- End Message ---
