e-fax
That think shut by borrow open was eat translate A rain go search change turnoff can play break computer live stand go sing study can not give travel search close can the send hurt
apache2 2.0.55-4 MIGRATED to testing
FYI: The status of the apache2 source package in Debian's testing distribution has changed. Previous version: 2.0.55-3 Current version: 2.0.55-4 -- This email is automatically generated; [EMAIL PROTECTED] is responsible. See http://people.debian.org/~henning/trille/ for more information. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#349793: marked as done (apache-common: Cross-site scripting (XSS) vulnerability in the mod_imap module)
Your message dated Thu, 26 Jan 2006 18:38:57 + with message-id <[EMAIL PROTECTED]> and subject line Bug#349793: apache-common: Cross-site scripting (XSS) vulnerability in the mod_imap module has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -- Received: (at submit) by bugs.debian.org; 25 Jan 2006 10:07:17 + >From [EMAIL PROTECTED] Wed Jan 25 02:07:17 2006 Return-path: <[EMAIL PROTECTED]> Received: from mail.lobefin.net ([82.71.90.98]) by spohr.debian.org with esmtp (Exim 4.50) id 1F1hYa-00073a-W6 for [EMAIL PROTECTED]; Wed, 25 Jan 2006 02:07:17 -0800 Received: from lobefin.net ([82.71.90.97] helo=hadrian.lobefin.net ident=Debian-exim) by mail.lobefin.net with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1F1hYV-0006A5-9W for [EMAIL PROTECTED]; Wed, 25 Jan 2006 10:07:11 + Received: from steve by hadrian.lobefin.net with local (Exim 4.50) id 1F1hYZ-00077G-M9 for [EMAIL PROTECTED]; Wed, 25 Jan 2006 10:07:15 + Date: Wed, 25 Jan 2006 10:07:15 + From: Stephen Gran <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: apache-common: Cross-site scripting (XSS) vulnerability in the mod_imap module Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline X-Reportbug-Version: 3.8 X-Editor: VIM - Vi IMproved 6.3 X-OS: Linux hadrian 2.6.8-2-686-smp i686 X-Uptime: 18:23 X-Latin: Hodie octavo Kalendas Februarias MMDCCLIX ab urbe condita est X-Date: Today is Setting Orange, the 25th day of Chaos in the YOLD 3172 X-DDate: Only 2430851 Shopping Days Left Before X-Day. Wibble. X-Motto: debian/rules User-Agent: Mutt/1.5.9i X-Authenticated-Sender: steve X-Scanned-By: ClamAV 0.88/1248 on mail.lobefin.net; Wed, 25 Jan 2006 10:07:11 + Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 --jI8keyz6grp/JLjh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: apache-common Version: 1.3.33-6sarge1 Severity: grave Tags: security http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-3352 Thanks, -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-686-smp Locale: LANG=3Den_US.ISO-8859-1, LC_CTYPE=3Den_US.ISO-8859-1 (charmap=3DISO= -8859-1) (ignored: LC_ALL set to en_US.ISO-8859-1) Versions of packages apache-common depends on: ii apache2-utils2.0.54-5utility programs for webservers ii debconf 1.4.30.13 Debian configuration managemen= t sy ii elinks [www-browser] 0.10.4-7advanced text-mode WWW browser ii libc62.3.2.ds1-22GNU C Library: Shared librarie= s an ii libdb4.2 4.2.52-18 Berkeley v4.2 Database Librari= es [ ii libexpat11.95.8-3XML parsing C library - runtim= e li ii lynx [www-browser] 2.8.5-2sarge1 Text-mode WWW Browser ii mime-support 3.28-1 MIME files 'mime.types' & 'mai= lcap ii mozilla-browser [www-bro 2:1.7.8-1sarge3 The Mozilla Internet applicati= on s ii perl 5.8.4-8sarge3 Larry Wall's Practical Extract= ion=20 ii sed 4.1.2-8 The GNU sed stream editor ii ucf 1.17Update Configuration File: pre= serv ii w3m [www-browser]0.5.1-3 WWW browsable pager with excel= lent -- debconf information: * apache-common/confignotes: apache-common/old-logrotate-exists: apache-common/logs: apache-shared/debconf-modules: mod_vhost_alias, mod_userdir, mod_unique_i= d, mod_status, mod_setenvif, mod_rewrite, mod_negotiation, mod_mime_ssl, mo= d_mime_magic, mod_log_config_ssl, mod_info, mod_expires, mod_dir, mod_cgi, = mod_autoindex, mod_auth_ssl, mod_alias, mod_access, apache-ssl, mod_php4 apache-shared/restart: false --=20 - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'
Processed: revisiting the "reload target" issue
Processing commands for [EMAIL PROTECTED]: > severity 316321 serious Bug#316321: apache2-common: 'reload' init target should not restart server Severity set to `serious'. > tags 316321 patch Bug#316321: apache2-common: 'reload' init target should not restart server There were no tags set. Tags added: patch > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Processed: patch here
Processing commands for [EMAIL PROTECTED]: > tag 347962 + patch Bug#347962: apache2-mpm-prefork: init script tries to grep regexp-based includes There were no tags set. Tags added: patch > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#316321: revisiting the "reload target" issue
severity 316321 serious
tags 316321 patch
thanks
hi,
revisiting this issue, and after having spoken with folks
on -devel and -policy, the consensus is that this is in
fact a policy violation, so i am changing the severity
appropriately.
but, because doing so merely to do so wouldn't be so
constructive, i've also patched the init script to
behave appropriately. i've attempted to keep the
patch as clean as possible... and have taken
code that would otherwise be duplicated and
placed them in common functions (apache_get_pid and
apache_kill).
here's some sample output of the new behavior:
mini-me[~]17:34:55$ sudo /etc/init.d/apache2 start
Starting apache 2.0 web server
mini-me[~]17:35:00$ sudo /etc/init.d/apache2 reload
Reloading apache 2.0 configuration
mini-me[~]17:35:05$ sudo /etc/init.d/apache2 stop
Stopping apache 2.0 web server
mini-me[~]17:35:12$ sudo /etc/init.d/apache2 reload
Reloading apache 2.0 configuration... no pidfile, not sending signal. failed!
thanks,
sean
--
--- /etc/init.d/apache2.old 2006-01-26 16:53:24.0 +0100
+++ /etc/init.d/apache2 2006-01-26 17:24:54.0 +0100
@@ -27,9 +27,8 @@
APACHE2="$ENV /usr/sbin/apache2"
APACHE2CTL="$ENV /usr/sbin/apache2ctl"
-apache_stop() {
- PID=""
- PIDFILE=""
+# find and echo the PID if it exists in the PIDFILE
+apache_get_pid(){
AP_CONF=/etc/apache2/apache2.conf
# apache2 allows more than PidFile entry in the config but only the
@@ -39,45 +38,26 @@
for i in $AP_CONF `awk '$1 ~ /^\s*[Ii]nclude$/ && $2 ~ /^\// {print
$2}' $AP_CONF`; do
PIDFILE=`grep -i ^PidFile $i | tail -n 1 | awk '{print $2}'`
if [ -e "$PIDFILE" ]; then
- PID=`cat $PIDFILE`
+ cat $PIDFILE
fi
done
-
- if `$APACHE2 -t > /dev/null 2>&1`; then
- # if the config is ok than we just stop normaly
-
- if [ -n "$PID" ]
- then
- $APACHE2CTL stop
-
- CNT=0
- while [ 1 ]
- do
- CNT=$(expr $CNT + 1)
-
- [ ! -d /proc/$PID ] && break
+}
- if [ $CNT -gt 60 ]
- then
- if [ "$VERBOSE" != "no" ]; then
- echo " ... failed!"
- echo "Apache2 failed to honor
the stop command, please investigate the situation by hand."
- fi
- return 1
- fi
+# send a signal (optionally $1) to the apache server if possible
+apache_kill(){
+ PID=`apache_get_pid`
+ if [ "$1" ]; then
+ SIGNAL="-$1"
+ fi
- sleep 1
- done
- else
+ # if there's no pid, then stop now
+ if [ ! "$PID" ]; then
if [ "$VERBOSE" != "no" ]; then
- echo -n " ... no pidfile found! not running?"
+ echo -n " no pidfile, not sending signal."
fi
+ return 1
fi
- else
- # if we are here something is broken and we need to try
- # to exit as nice and clean as possible
-
# if pidof is null for some reasons the script exits
automagically
# classified as good/unknown feature
PIDS=`pidof apache2` || true
@@ -97,7 +77,7 @@
if [ $REALPID = 1 ]; then
# in this case everything is nice and dandy
# and we kill apache2
- kill $PID
+ kill $SIGNAL $PID
else
# this is the worst situation... just kill all of them
#for i in $PIDS; do
@@ -105,17 +85,74 @@
#done
# Except, we can't do that, because it's very, very bad
if [ "$VERBOSE" != "no" ]; then
-echo " ... failed!"
+ echo " ... failed!"
echo "You may still have some apache2 processes
running. There are"
echo "processes named 'apache2' which do not
match your pid file,"
echo "and in the name of safety, we've left
them alone. Please review"
echo "the situation by hand."
-fi
-return 1
+ fi
+ return 1
+ fi
+}
+
+apache_stop
Bug#349793: apache-common: Cross-site scripting (XSS) vulnerability in the mod_imap module
* Stephen Gran: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352 Uhm, hasn't this been fixed in apache 1.3.34-2 (bug #343466) and apache2 2.0.55-4 (bug #343467)? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
e-fax
give swim fall someone cancel forget computer look read so fit tell Not bring give by try live from learn fit As find reply use listen forget don't fill buy but begin play
