Bug 562798 (CVE-2009-4487)
Summary: | CVE-2009-4487 nginx: Absent sanitation of escape sequences in web server log | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jeremy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-02-23 15:25:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2010-02-08 12:38:46 UTC
In fact the impact of this issue against various versions of *term package / binary, as shipped within Fedora release of 11 and 12, because advisory [1] from References part above further references ([4], [5], [6], [7] links in [1]): [a] -- [4] Debian GNU/Linux XTERM (DECRQSS/comments) Weakness Vulnerability http://www.milw0rm.com/exploits/7681 This is #CVE-2008-2383, which is already fixed. [b] -- [5] Terminal Emulator Security Issues http://marc.info/?l=bugtraq&m=104612710031920&w=2 The list of CNA's is pretty long, but similar as above. [c] -- [6] Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability http://www.securityfocus.com/bid/6936/discuss This is CVE-2003-0021, which was fixed in upstream Eterm 0.9.2 version (current versions of Eterm package in Fedora are newer than this). [d] -- [7] RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability http://www.securityfocus.com/bid/6938/discuss This is CVE-2003-0022, which was fixed in upstream rxvt-v2.7.10 version (ftp://ftp.rxvt.org/pub/rxvt/rxvt-2.7.10.tar.gz) and current rxvt packages in Fedora and EPEL repositories are already v2.7.10 based. So the issues, as mentioned in: References: [2] http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded would be real issues only on very old (not updated) systems. Just for completeness, here are the links to patches for the Cherokee web server, as applied for the clone of the same issue (CVE-2009-4489) in Cherokee: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4489 http://svn.cherokee-project.com/changeset/3944 http://svn.cherokee-project.com/changeset/3977 I assume this means, since upstream nginx is not providing a fix at this time that we should not do anything? I'm about package up 0.7.65 and want to check if we should do anything before then. (In reply to Jan Lieskovsky from comment #1) > So the issues, as mentioned in: > > References: > [2] http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded > > would be real issues only on very old (not updated) systems. Upstream have been aware of this issue for years and have decided not to fix it. As stated in the quote above, it appears to only affect very old systems running vulnerable *term packages so there does not appear to be any significant consequences. I am therefore closing this bug. |