Bug 583162 (CVE-2009-4496)

Summary: CVE-2009-4496 boa: sanitize nonprintable characters in error logs
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: matthias
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-02 10:37:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 583164    
Bug Blocks:    

Description Vincent Danen 2010-04-16 21:07:35 UTC 
A vulnerability was reported against multiple web servers [1] where the log files contained unescaped sequences that could potentially affect certain terminals when viewing the log files.

While we don't necessarily see this as a problem in the web servers themself, being able to correct them to have sanitized contents in the log files would be a good thing.  The Debian bug report [2] to that end has a patch attached [3] that would correct the issue in boa.  Since it does not look like upstream will resolve this issue, this bug is being opened so that boa in Fedora can be patched.

[1] http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578035
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=escape-errorlog.patch;att=1;bug=578035
Comment 1 Vincent Danen 2010-04-16 21:09:52 UTC 
Created boa tracking bugs for this issue

Affects: fedora-all [bug 583164]
Comment 2 Fedora Update System 2010-04-28 12:42:14 UTC 
boa-0.94.14-0.15.rc21.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/boa-0.94.14-0.15.rc21.fc13
Comment 3 Fedora Update System 2010-04-28 12:42:18 UTC 
boa-0.94.14-0.15.rc21.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/boa-0.94.14-0.15.rc21.fc12
Comment 4 Fedora Update System 2010-04-28 12:42:29 UTC 
boa-0.94.14-0.15.rc21.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/boa-0.94.14-0.15.rc21.el4
Comment 5 Fedora Update System 2010-04-28 12:42:36 UTC 
boa-0.94.14-0.15.rc21.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/boa-0.94.14-0.15.rc21.fc11
Comment 6 Fedora Update System 2010-04-28 12:42:44 UTC 
boa-0.94.14-0.15.rc21.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/boa-0.94.14-0.15.rc21.el5
Comment 7 Fedora Update System 2010-05-12 17:55:28 UTC 
boa-0.94.14-0.15.rc21.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-05-12 17:56:00 UTC 
boa-0.94.14-0.15.rc21.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-05-12 17:57:55 UTC 
boa-0.94.14-0.15.rc21.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.