Greetings, It seems there is a discrepancy in the Fixed Version displayed on:
http://security-tracker.debian.org/tracker/CVE-2012-0053 For the squeeze release (2.2.16-6+squeeze6) as it contradicts the changelog: http://release.debian.org/proposed-updates/stable_diffs/apache2_2.2.16-6+squeeze6.debdiff The changelog states this was fixed in squeeze - 2.2.16-6+squeeze5 + * Prevent unintended pattern expansion in some reverse proxy + configurations by strictly validating the request-URI. Fixes + CVE-2011-3368, CVE-2011-3639, CVE-2011-4317. + * CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local + privilege escalation. + * CVE-2012-0031: Fix client process being able to crash parent process + during shutdown. + * CVE-2012-0053: Fix an issue in code 400 error responses that could expose + "httpOnly" cookies. Please advise which version of squeeze this was addressed in. I thank you kindly for your time. Have a great day and weekend! Best regards, Ryan M. Gumbiner Support Analyst Trustwave ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
