On Thu, May 24, 2012 at 3:30 PM, William A. Rowe Jr. <wr...@rowe-clan.net> wrote: > On 5/24/2012 12:05 PM, Luke Lozier wrote: >> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due to >> the issues >> described in this CVE: >> >> Changes with Apache 2.2.23 >> >> *) SECURITY: CVE-2012-0883 (cve.mitre.org <http://cve.mitre.org>) >> envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the >> current working directory to be searched for DSOs. [Stefan Fritsch] >> >> Is there any idea when 2.2.23 will be released? I'd rather not upgrade to >> 2.4.2 > > Modify your installed envvars (and envvars-std) script and apachectl (or > equivilant > script provided by your application vendor) to ensure that this code is > changed; > > > @@ -18,6 +18,10 @@ > # > # This file is generated from envvars-std.in > # > -LD_LIBRARY_PATH="/path/to/httpd/lib:$LD_LIBRARY_PATH" > +if test "x$LD_LIBRARY_PATH" != "x" ; then > + LD_LIBRARY_PATH="/path/to/httpd/lib:$LD_LIBRARY_PATH" > +else > + LD_LIBRARY_PATH="/path/to/httpd/lib" > +fi > export LD_LIBRARY_PATH > # > > On oddball platforms this may be LIBPATH or SHLIB_PATH instead of > LD_LIBRARY_PATH. > If your platform's apachectl script invokes envvars, you are done. If it > doesn't, > there may be an insecure LD_LIBRARY_PATH assignment, just use the example > above. > > Upgrading for this defect is frankly silly, although effective. There is no > planned > date yet for 2.2.23 although it will come along sometime in the not too > distant > future.
Actually, upgrading for this defect is not effective if the user simply runs "make install" to update an existing installation. They must manually edit/recreate envvars if an existing installation directory is used. I think that CHANGES entries and security doc (http://httpd.apache.org/security/vulnerabilities_24.html) need to be updated to cover this issue. Alternate thoughts? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > -- Born in Roswell... married an alien... http://emptyhammock.com/