ClearOS Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


CVE 2012-0053

'protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.'

ClearCenter response

Short response

This CVE is addressed in a backported fix to ClearOS. ClearOS 5.x systems running the latest updates are not vulnerable. ClearOS 6.x systems running the latest updates are not vulnerable.

Long response

Previous fixes to ClearOS addressed this issue. However, ClearOS does not increment version numbers in order to maintain dependencies between subsystems. The audit system has not taken into account ClearOS minor version numbers which correctly represent the fix to the system.

ClearOS has backported fixes to this problem. Updated versions of ClearOS 5.x are not vulnerable to this issue. Updated versions of ClearOS 6.x are not vulnerable to this issue.

Resolution

To verify that you are running the a version of ClearOS that is not susceptible to this attack run your updates. Alternately, run the following to determine if they are already installed:

rpm -qi httpd

Pay attention to the Version and Release lines and compare to the following:

  • ClearOS 5.x httpd version: 2.2.3
    • Fixed in release: 63.el5
  • ClearOS 6.x httpd version: 2.2.15
    • Fixed in release: 15.el6

If your release number is the same or higher. This issue does NOT affect you.

content/en_us/announcements_cve_cve-2012-0053.txt · Last modified: 2014/12/22 11:04 by dloper

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Aannouncements_cve_cve-2012-0053&1558461372