CVE-2008-0456

Name	CVE-2008-0456
Description	CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
apache2 (PTS)	jessie, jessie (lts)	2.4.10-10+deb8u25	vulnerable
	stretch (security)	2.4.25-3+deb9u13	vulnerable
	stretch (lts), stretch	2.4.25-3+deb9u15	vulnerable
	buster	2.4.38-3+deb10u8	vulnerable
	buster (security)	2.4.38-3+deb10u10	vulnerable
	bullseye	2.4.56-1~deb11u2	vulnerable
	bullseye (security)	2.4.59-1~deb11u1	vulnerable
	bookworm	2.4.57-2	vulnerable
	bookworm (security)	2.4.59-1~deb12u1	vulnerable
	trixie	2.4.58-1	vulnerable
	sid	2.4.59-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
apache	source	(unstable)	(unfixed)	unimportant
apache2	source	(unstable)	(unfixed)	unimportant

This is only relevant if an attacker can upload files with arbitrary names
but not with arbitrary contents.