Propose backport of refresh parameter input sanitizing patch.

author Sander Temme <sctemme@apache.org>

Sun, 6 Jan 2008 21:33:01 +0000 (21:33 +0000)

committer Sander Temme <sctemme@apache.org>

Sun, 6 Jan 2008 21:33:01 +0000 (21:33 +0000)
author Sander Temme <sctemme@apache.org>
Sun, 6 Jan 2008 21:33:01 +0000 (21:33 +0000)
committer Sander Temme <sctemme@apache.org>
Sun, 6 Jan 2008 21:33:01 +0000 (21:33 +0000)
diff --git a/STATUS b/STATUS

index 68e2e65ae7d5637b4e595f4930f5e2aac921f243..d17ec4cd4e6cc6f0ca05bcf073636d56967c2cfa 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -56,6 +56,16 @@ Release:
  
  RELEASE SHOWSTOPPERS:
  
+   *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+      mod_status: Ensure refresh parameter is numeric to prevent
+      a possible XSS attack caused by redirecting to other URLs.
+      Reported by SecurityReason.  [Mark Cox]
+      Trunk version of patch: 
+        http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=590641&r2=607873
+      1.3 version of patch attached to: 
+        http://mail-archives.apache.org/mod_mbox/httpd-dev/200801.mbox/%3c47813C93.4020507@apache.org%3e
+      +1: sctemme (with fuankg's change of default refresh time to 10 seconds in r607873)
+
  PROPOSED PATCHES FOR THIS RELEASE:
  
     *) mod_rewrite on Win32: change the mutex mechanism for RewriteLog
author	Sander Temme <sctemme@apache.org>
	Sun, 6 Jan 2008 21:33:01 +0000 (21:33 +0000)
committer	Sander Temme <sctemme@apache.org>
	Sun, 6 Jan 2008 21:33:01 +0000 (21:33 +0000)