Date: Wed, 3 Jun 2009 12:24:11 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: OSS Security List <oss-security@...ts.openwall.com> Subject: Re: CVE Request: PDF XSS in ModSecurity / apache2 mod_security 2.5.8 My read is that 2.5.8 fixed this, but the version was quickly changed to handle the other issue. - Steve ====================================================== Name: CVE-2009-1903 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1903 Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=667538 Reference: FEDORA:FEDORA-2009-2654 Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00487.html Reference: FEDORA:FEDORA-2009-2686 Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00529.html Reference: BID:34096 Reference: URL:http://www.securityfocus.com/bid/34096 Reference: OSVDB:52552 Reference: URL:http://www.osvdb.org/52552 Reference: SECUNIA:34256 Reference: URL:http://secunia.com/advisories/34256 Reference: SECUNIA:34311 Reference: URL:http://secunia.com/advisories/34311 Reference: VUPEN:ADV-2009-0703 Reference: URL:http://www.vupen.com/english/advisories/2009/0703 Reference: XF:modsecurity-pdfxss-dos(49211) Reference: URL:http://xforce.iss.net/xforce/xfdb/49211 The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that does not use the GET method.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.