Re: Re: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 20.10.2010 11:47, Igor GaliÄ wrote:

----- "Matus UHLAR - fantomas"<uhlar@xxxxxxxxxxx>  wrote:

On 19.10.10 11:27, William A. Rowe Jr. wrote:
Subject: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released

    The Apache Software Foundation and the Apache HTTP Server Project
are
    pleased to announce the release of version 2.2.17 of the Apache
HTTP
    Server ("Apache").  This version of Apache is principally a bug
fix
    release, and a security fix release of the APR-util 1.3.10
dependency;

      * SECURITY: CVE-2010-1623 (cve.mitre.org)
        Fix a denial of service attack against
apr_brigade_split_line().

      * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
        Fix two buffer over-read flaws in the bundled copy of expat
which
        could cause httpd to crash while parsing specially-crafted
        XML documents.

does this mean that if I have apache compiled with external
apr-util-1.3.10 and external expat, I am safe?

Unless that external expat is the same version as the bundled copy.

It seems there

http://svn.apache.org/viewvc?view=revision&revision=1002628

contains additional expat fixes, which have not been released as part of expat. Apr-Util conains expat 1.95.7 with those fixes added. There exists 1.95.8, but that doesn't seem to contain them. I don't know whether 1.95.8 or 2.0.1 are vulnerable or not.

Concerning the split brigade fix, note that a similar problem has been fixed in the module mod_reqtimeout. This module is relatively young, so not many configurations already activate it.

Regards,

Rainer

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux