httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Iliffe <john.ili...@iliffe.ca>
Subject Re: [users@httpd] LD_LIBRARY_PATH issue in 2.2.22 and earlier
Date Thu, 24 May 2012 17:17:34 GMT
I got caught the same way in March (re PCI scanning).  Guess my guy is more 
up to date than yours!

There should be no reason that I found not to update to 2.4.2 BUT BE 
CAREFUL OF THE CONFIG FILE CHANGES!  For example the "order deny allow" 
format directives no longer work in 2.4.*.  There are a few other changes.

Also, do not be tempted to update to PHP 5.4.0 as it will cause segfaults 
in all the child processes for reasons that escape me completely.  Use a 
5.3.x version.  This may be my problem but someone on this list was able to 
confirm the issue and said that it is a PHP issue.  It may be resolved by 
now.

Hope that's useful.

John
======================================
On Thursday 24 May 2012 13:05:10 Luke Lozier wrote:
> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due
> to the issues described in this CVE: Changes with Apache 2.2.23
> 
>   *) SECURITY: CVE-2012-0883 (cve.mitre.org)
>      envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead
> to the current working directory to be searched for DSOs. [Stefan
> Fritsch] Is there any idea when 2.2.23 will be released? I'd rather not
> upgrade to 2.4.2
> 
> Apologies if this is the wrong list for this.
> 
> Best,
> 
> Luke Lozier
> 
> ---
> 
> Bibliopolis, LLC
> Berkeley | Pittsburgh
> 
> http://www.bibliopolis.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message