Greetings,
It seems there is a discrepancy in the Fixed Version displayed on:
http://security-tracker.debian.org/tracker/CVE-2012-0053
For the squeeze release (2.2.16-6+squeeze6) as it contradicts the changelog:
http://release.debian.org/proposed-updates/stable_diffs/apache2_2.2.16-6+squeeze6.debdiff
The changelog states this was fixed in squeeze - 2.2.16-6+squeeze5
+ * Prevent unintended pattern expansion in some reverse proxy
+configurations by strictly validating the request-URI. Fixes
+CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
+ * CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local
+privilege escalation.
+ * CVE-2012-0031: Fix client process being able to crash parent process
+during shutdown.
+ * CVE-2012-0053: Fix an issue in code 400 error responses that could expose
+httpOnly cookies.
Please advise which version of squeeze this was addressed in. I thank you
kindly for your time. Have a great day and weekend!
Best regards,
Ryan M. Gumbiner
Support Analyst
Trustwave
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
