CVE-2009-1697 in Ubuntu

CVE-2009-1697

Priority

Description

CRLF injection vulnerability in WebKit in Apple Safari before 4.0, iPhone
OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows
remote attackers to inject HTTP headers and bypass the Same Origin Policy
via a crafted HTML document, related to cross-site scripting (XSS) attacks
that depend on communication with arbitrary web sites on the same server
through use of XMLHttpRequest without a Host header.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1697

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535793

Assigned-to

micahg

Notes

jdstrand	webkit is a fork of khtml from kdelibs. kdelibs5 is farther from it, while qt4-x11 attempts to unify khtml and webkit
mdeslaur	code doesn't seem present in kde4libs commit doesn't look like it matches the CVE

Package

Source: qt4-x11 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (4.5.2-0ubuntu5)

Patches:

Package

Source: webkit (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (1.1.12-1ubuntu1)

Patches:

Upstream:

http://trac.webkit.org/changeset/41262

More Information

Updated: 2022-02-10 23:37:21 UTC (commit acb3d89ab51f1d5e5543fa993969c0eb13c71f04)