httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: [users@httpd] Re: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
Date Wed, 20 Oct 2010 13:21:33 GMT
On 20.10.2010 11:47, Igor Galić wrote:
>
> ----- "Matus UHLAR - fantomas"<uhlar@fantomas.sk>  wrote:
>
>> On 19.10.10 11:27, William A. Rowe Jr. wrote:
>>> Subject: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
>>
>>>     The Apache Software Foundation and the Apache HTTP Server Project
>> are
>>>     pleased to announce the release of version 2.2.17 of the Apache
>> HTTP
>>>     Server ("Apache").  This version of Apache is principally a bug
>> fix
>>>     release, and a security fix release of the APR-util 1.3.10
>> dependency;
>>>
>>>       * SECURITY: CVE-2010-1623 (cve.mitre.org)
>>>         Fix a denial of service attack against
>> apr_brigade_split_line().
>>>
>>>       * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
>>>         Fix two buffer over-read flaws in the bundled copy of expat
>> which
>>>         could cause httpd to crash while parsing specially-crafted
>>>         XML documents.
>>
>> does this mean that if I have apache compiled with external
>> apr-util-1.3.10 and external expat, I am safe?
>
> Unless that external expat is the same version as the bundled copy.

It seems there

http://svn.apache.org/viewvc?view=revision&revision=1002628

contains additional expat fixes, which have not been released as part of 
expat. Apr-Util conains expat 1.95.7 with those fixes added. There 
exists 1.95.8, but that doesn't seem to contain them. I don't know 
whether 1.95.8 or 2.0.1 are vulnerable or not.

Concerning the split brigade fix, note that a similar problem has been 
fixed in the module mod_reqtimeout. This module is relatively young, so 
not many configurations already activate it.

Regards,

Rainer

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message