Package: apache2 Severity: normal Tags: security Hi, the following issues were dislcosed in 2003 for apache, but they just got CVE numbers a few days ago. I haven't checked whether the latest version of apache2 is affected, and if it isn't, please close this bug. The problem actually seems rather unimportant to me since the real issue is input sanitization for any vulnerable apache log analyzer.
CVE-2003-1580[0]: | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for | client IP addresses, uses a logging format that does not identify | whether a dotted quad represents an unresolved IP address, which | allows remote attackers to spoof IP addresses via crafted DNS | responses containing numerical top-level domains, as demonstrated by a | forged 123.123.123.123 domain name, related to an "Inverse Lookup Log | Corruption (ILLC)" issue. CVE-2003-1581[1]: | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for | client IP addresses, allows remote attackers to inject arbitrary text | into log files via an HTTP request in conjunction with a crafted DNS | response, as demonstrated by injecting XSS sequences, related to an | "Inverse Lookup Log Corruption (ILLC)" issue. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1580 http://security-tracker.debian.org/tracker/CVE-2003-1580 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1581 http://security-tracker.debian.org/tracker/CVE-2003-1581 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
