Bug#349793: marked as done (apache-common: Cross-site scripting (XSS) vulnerability in the mod_imap module)

Debian Bug Tracking System Thu, 26 Jan 2006 10:57:15 -0800

Your message dated Thu, 26 Jan 2006 18:38:57 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#349793: apache-common: Cross-site scripting (XSS) 
vulnerability in the mod_imap module
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Jan 2006 10:07:17 +0000
>From [EMAIL PROTECTED] Wed Jan 25 02:07:17 2006
Return-path: <[EMAIL PROTECTED]>
Received: from mail.lobefin.net ([82.71.90.98])
        by spohr.debian.org with esmtp (Exim 4.50)
        id 1F1hYa-00073a-W6
        for [EMAIL PROTECTED]; Wed, 25 Jan 2006 02:07:17 -0800
Received: from lobefin.net
        ([82.71.90.97] helo=hadrian.lobefin.net ident=Debian-exim)
        by mail.lobefin.net with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
        (Exim 4.50)
        id 1F1hYV-0006A5-9W
        for [EMAIL PROTECTED]; Wed, 25 Jan 2006 10:07:11 +0000
Received: from steve by hadrian.lobefin.net with local (Exim 4.50)
        id 1F1hYZ-00077G-M9
        for [EMAIL PROTECTED]; Wed, 25 Jan 2006 10:07:15 +0000
Date: Wed, 25 Jan 2006 10:07:15 +0000
From: Stephen Gran <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: apache-common: Cross-site scripting (XSS) vulnerability in the 
mod_imap module
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh"
Content-Disposition: inline
X-Reportbug-Version: 3.8
X-Editor: VIM - Vi IMproved 6.3 
X-OS: Linux hadrian 2.6.8-2-686-smp i686
X-Uptime: 18:23
X-Latin: Hodie octavo Kalendas Februarias MMDCCLIX ab urbe condita est
X-Date: Today is Setting Orange, the 25th day of Chaos in the YOLD 3172
X-DDate: Only 2430851 Shopping Days Left Before X-Day. Wibble. 
X-Motto: debian/rules
User-Agent: Mutt/1.5.9i
X-Authenticated-Sender: steve
X-Scanned-By: ClamAV 0.88/1248 on mail.lobefin.net; Wed, 25 Jan 2006 10:07:11 
+0000
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02


--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: apache-common
Version: 1.3.33-6sarge1
Severity: grave
Tags: security

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-3352

Thanks,

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=3Den_US.ISO-8859-1, LC_CTYPE=3Den_US.ISO-8859-1 (charmap=3DISO=
-8859-1) (ignored: LC_ALL set to en_US.ISO-8859-1)

Versions of packages apache-common depends on:
ii  apache2-utils            2.0.54-5        utility programs for webservers
ii  debconf                  1.4.30.13       Debian configuration managemen=
t sy
ii  elinks [www-browser]     0.10.4-7        advanced text-mode WWW browser
ii  libc6                    2.3.2.ds1-22    GNU C Library: Shared librarie=
s an
ii  libdb4.2                 4.2.52-18       Berkeley v4.2 Database Librari=
es [
ii  libexpat1                1.95.8-3        XML parsing C library - runtim=
e li
ii  lynx [www-browser]       2.8.5-2sarge1   Text-mode WWW Browser
ii  mime-support             3.28-1          MIME files 'mime.types' & 'mai=
lcap
ii  mozilla-browser [www-bro 2:1.7.8-1sarge3 The Mozilla Internet applicati=
on s
ii  perl                     5.8.4-8sarge3   Larry Wall's Practical Extract=
ion=20
ii  sed                      4.1.2-8         The GNU sed stream editor
ii  ucf                      1.17            Update Configuration File: pre=
serv
ii  w3m [www-browser]        0.5.1-3         WWW browsable pager with excel=
lent

-- debconf information:
* apache-common/confignotes:
  apache-common/old-logrotate-exists:
  apache-common/logs:
  apache-shared/debconf-modules: mod_vhost_alias, mod_userdir, mod_unique_i=
d, mod_status, mod_setenvif, mod_rewrite, mod_negotiation, mod_mime_ssl, mo=
d_mime_magic, mod_log_config_ssl, mod_info, mod_expires, mod_dir, mod_cgi, =
mod_autoindex, mod_auth_ssl, mod_alias, mod_access, apache-ssl, mod_php4
  apache-shared/restart: false

--=20
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        [EMAIL PROTECTED] |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

--jI8keyz6grp/JLjh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD103TSYIMHOpZA44RAn0FAKCdps8SsHd5L9NLm6/Oa5uk3GKwKQCgt+CP
asS9r3WN5ZFlKaaj3QZDvI0=
=b92C
-----END PGP SIGNATURE-----

--jI8keyz6grp/JLjh--

---------------------------------------
Received: (at 349793-done) by bugs.debian.org; 26 Jan 2006 18:39:00 +0000
>From [EMAIL PROTECTED] Thu Jan 26 10:39:00 2006
Return-path: <[EMAIL PROTECTED]>
Received: from mail.lobefin.net ([82.71.90.98])
        by spohr.debian.org with esmtp (Exim 4.50)
        id 1F2C1L-0004t7-Gp
        for [EMAIL PROTECTED]; Thu, 26 Jan 2006 10:39:00 -0800
Received: from lobefin.net
        ([82.71.90.97] helo=hadrian.lobefin.net ident=Debian-exim)
        by mail.lobefin.net with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
        (Exim 4.50)
        id 1F2C1I-0006Hp-GW; Thu, 26 Jan 2006 18:38:56 +0000
Received: from steve by hadrian.lobefin.net with local (Exim 4.50)
        id 1F2C1J-0000xC-Bt; Thu, 26 Jan 2006 18:38:57 +0000
Date: Thu, 26 Jan 2006 18:38:57 +0000
From: Stephen Gran <[EMAIL PROTECTED]>
To: Florian Weimer <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: Bug#349793: apache-common: Cross-site scripting (XSS) 
vulnerability in the mod_imap module
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="CblX+4bnyfN0pR09"
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
X-Editor: VIM - Vi IMproved 6.3 
X-OS: Linux hadrian 2.6.8-2-686-smp i686
X-Uptime: 1 day
X-Latin: Hodie octavo Kalendas Februarias MMDCCLIX ab urbe condita est
X-Date: Today is Setting Orange, the 25th day of Chaos in the YOLD 3172
X-DDate: Only 2430851 Shopping Days Left Before X-Day. Grudnuk demand 
sustenance! 
X-Motto: debian/rules
User-Agent: Mutt/1.5.9i
X-Authenticated-Sender: steve
X-Scanned-By: ClamAV 0.88/1252 on mail.lobefin.net; Thu, 26 Jan 2006 18:38:56 
+0000
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02


--CblX+4bnyfN0pR09
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

This one time, at band camp, Florian Weimer said:
> * Stephen Gran:
>=20
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-3352
>=20
> Uhm, hasn't this been fixed in apache 1.3.34-2 (bug #343466) and
> apache2 2.0.55-4 (bug #343467)?

It may have been - I was working from
http://www.debian.org/security/crossreferences, and CVE-2005-3352 does
not appear on that page, as far as I can tell.  My quick glance over
the bug pages for apache and apache2 didn't turn up those bugs, but now
I see them rather obviously, so I am sorry for the waste of your time.
I guess the problem is my template was what has been fixed in sarge,
not what has already been reported and fixed in sid.

Sorry for the noise, closing now.
--=20
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        [EMAIL PROTECTED] |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

--CblX+4bnyfN0pR09
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD2RdBSYIMHOpZA44RAtwWAKCQ3fpa0TQAIMWf322LNsuo9PMbKwCfV5gD
TTxlBbqRlxMNHydlTwqdyck=
=/Noa
-----END PGP SIGNATURE-----

--CblX+4bnyfN0pR09--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#349793: marked as done (apache-common: Cross-site scripting (XSS) vulnerability in the mod_imap module)

Reply via email to