You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2007/12/11 21:11:12 UTC
svn commit: r603347 - in /httpd/site/trunk/docs/security:
vulnerabilities-oval.xml vulnerabilities_22.html
Author: jorton
Date: Tue Dec 11 12:11:11 2007
New Revision: 603347
URL: http://svn.apache.org/viewvc?rev=603347&view=rev
Log:
Add CVE-2007-5000.
Modified:
httpd/site/trunk/docs/security/vulnerabilities-oval.xml
httpd/site/trunk/docs/security/vulnerabilities_22.html
Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?rev=603347&r1=603346&r2=603347&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Tue Dec 11 12:11:11 2007
@@ -5,6 +5,32 @@
<oval:timestamp>2005-10-12T18:13:45</oval:timestamp>
</generator>
<definitions>
+<definition id="oval:org.apache.httpd:def:20075000" version="1" class="vulnerability">
+<metadata>
+<title>mod_imagemap XSS</title>
+<reference source="CVE" ref_id="CVE-2007-5000" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000"/>
+<description>
+A flaw was found in the mod_imagemap module. On sites where
+mod_imagemap is enabled and an imagemap file is publicly available, a
+cross-site scripting attack is possible.</description>
+<apache_httpd_repository>
+<public>20071211</public>
+<reported>20071023</reported>
+<released/>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:226" comment="the version of httpd is 2.2.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:225" comment="the version of httpd is 2.2.5"/>
+<criterion test_ref="oval:org.apache.httpd:tst:224" comment="the version of httpd is 2.2.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+</criteria>
+</definition>
<definition id="oval:org.apache.httpd:def:20073847" version="1" class="vulnerability">
<metadata>
<title>mod_proxy crash</title>
@@ -455,7 +481,7 @@
</description>
<apache_httpd_repository>
<public>20060508</public>
-<reported></reported>
+<reported/>
<released>20060501</released>
<severity level="3">moderate</severity>
</apache_httpd_repository>
@@ -2511,6 +2537,14 @@
</definition>
</definitions>
<tests>
+<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:226" version="1" comment="the version of httpd is 2.2.6" check="at least one">
+<object object_ref="oval:org.apache.httpd:obj:1"/>
+<state state_ref="oval:org.apache.httpd:ste:226"/>
+</httpd_test>
+<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:225" version="1" comment="the version of httpd is 2.2.5" check="at least one">
+<object object_ref="oval:org.apache.httpd:obj:1"/>
+<state state_ref="oval:org.apache.httpd:ste:225"/>
+</httpd_test>
<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:224" version="1" comment="the version of httpd is 2.2.4" check="at least one">
<object object_ref="oval:org.apache.httpd:obj:1"/>
<state state_ref="oval:org.apache.httpd:ste:224"/>
@@ -2724,6 +2758,12 @@
</httpd_object>
</objects>
<states>
+<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:226" version="1" comment="the version of httpd is 2.2.6">
+<version operation="equals" datatype="version">2.2.6</version>
+</httpd_state>
+<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:225" version="1" comment="the version of httpd is 2.2.5">
+<version operation="equals" datatype="version">2.2.5</version>
+</httpd_state>
<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:224" version="1" comment="the version of httpd is 2.2.4">
<version operation="equals" datatype="version">2.2.4</version>
</httpd_state>
Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=603347&r1=603346&r2=603347&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html Tue Dec 11 12:11:11 2007
@@ -86,6 +86,37 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+ <a name="2.2.7-dev"><strong>Fixed in Apache httpd 2.2.7-dev</strong></a>
+ </font>
+ </td>
+ </tr>
+ <tr><td>
+ <blockquote>
+<dl>
+<dd>
+<b>moderate: </b>
+<b>
+<name name="CVE-2007-5000">mod_imagemap XSS</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000">CVE-2007-5000</a>
+<p>
+A flaw was found in the mod_imagemap module. On sites where
+mod_imagemap is enabled and an imagemap file is publicly available, a
+cross-site scripting attack is possible.</p>
+</dd>
+<dd />
+<dd>
+ Affects:
+ 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
+</dd>
+</dl>
+ </blockquote>
+ </td></tr>
+</table>
+ <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr>
+ <td bgcolor="#525D76">
+ <font color="#ffffff" face="arial,helvetica,sanserif">
<a name="2.2.6"><strong>Fixed in Apache httpd 2.2.6</strong></a>
</font>
</td>