Re: [us...@httpd] Re: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
On 10/21/2010 2:50 AM, Matus UHLAR - fantomas wrote: I see. Unfortunately, I haven't seen bundled expat version in the announce. And luckily, my version is patched. That is a miscommunication. Something we hope to remedy in 2.4/3.0 by unbundling sources that are 'not invented here'. Glad that you are running an (unreleased) expat from your os vendor! - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
On 19.10.10 11:27, William A. Rowe Jr. wrote: * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause httpd to crash while parsing specially-crafted XML documents. On 10/20/2010 1:44 AM, Matus UHLAR - fantomas wrote: does this mean that if I have apache compiled with external apr-util-1.3.10 and external expat, I am safe? On 20.10.10 15:05, William A. Rowe Jr. wrote: From these two flaws? Only if your external expat is also up-to-date, refer that question to the expat community. I see. Unfortunately, I haven't seen bundled expat version in the announce. And luckily, my version is patched. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Re: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
On 19.10.10 11:27, William A. Rowe Jr. wrote: Subject: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.17 of the Apache HTTP Server (Apache). This version of Apache is principally a bug fix release, and a security fix release of the APR-util 1.3.10 dependency; * SECURITY: CVE-2010-1623 (cve.mitre.org) Fix a denial of service attack against apr_brigade_split_line(). * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause httpd to crash while parsing specially-crafted XML documents. does this mean that if I have apache compiled with external apr-util-1.3.10 and external expat, I am safe? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Where do you want to go to die? [Microsoft] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
- Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 19.10.10 11:27, William A. Rowe Jr. wrote: Subject: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.17 of the Apache HTTP Server (Apache). This version of Apache is principally a bug fix release, and a security fix release of the APR-util 1.3.10 dependency; * SECURITY: CVE-2010-1623 (cve.mitre.org) Fix a denial of service attack against apr_brigade_split_line(). * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause httpd to crash while parsing specially-crafted XML documents. does this mean that if I have apache compiled with external apr-util-1.3.10 and external expat, I am safe? Unless that external expat is the same version as the bundled copy. -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
On 20.10.2010 11:47, Igor Galić wrote: - Matus UHLAR - fantomasuh...@fantomas.sk wrote: On 19.10.10 11:27, William A. Rowe Jr. wrote: Subject: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.17 of the Apache HTTP Server (Apache). This version of Apache is principally a bug fix release, and a security fix release of the APR-util 1.3.10 dependency; * SECURITY: CVE-2010-1623 (cve.mitre.org) Fix a denial of service attack against apr_brigade_split_line(). * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause httpd to crash while parsing specially-crafted XML documents. does this mean that if I have apache compiled with external apr-util-1.3.10 and external expat, I am safe? Unless that external expat is the same version as the bundled copy. It seems there http://svn.apache.org/viewvc?view=revisionrevision=1002628 contains additional expat fixes, which have not been released as part of expat. Apr-Util conains expat 1.95.7 with those fixes added. There exists 1.95.8, but that doesn't seem to contain them. I don't know whether 1.95.8 or 2.0.1 are vulnerable or not. Concerning the split brigade fix, note that a similar problem has been fixed in the module mod_reqtimeout. This module is relatively young, so not many configurations already activate it. Regards, Rainer - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Re: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
On 10/20/2010 1:44 AM, Matus UHLAR - fantomas wrote: On 19.10.10 11:27, William A. Rowe Jr. wrote: Subject: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.17 of the Apache HTTP Server (Apache). This version of Apache is principally a bug fix release, and a security fix release of the APR-util 1.3.10 dependency; * SECURITY: CVE-2010-1623 (cve.mitre.org) Fix a denial of service attack against apr_brigade_split_line(). * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause httpd to crash while parsing specially-crafted XML documents. does this mean that if I have apache compiled with external apr-util-1.3.10 and external expat, I am safe? From these two flaws? Only if your external expat is also up-to-date, refer that question to the expat community. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org