On 20.10.2010 11:47, Igor Galić wrote:
----- "Matus UHLAR - fantomas"<uh...@fantomas.sk> wrote:
On 19.10.10 11:27, William A. Rowe Jr. wrote:
Subject: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
The Apache Software Foundation and the Apache HTTP Server Project
are
pleased to announce the release of version 2.2.17 of the Apache
HTTP
Server ("Apache"). This version of Apache is principally a bug
fix
release, and a security fix release of the APR-util 1.3.10
dependency;
* SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against
apr_brigade_split_line().
* SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
Fix two buffer over-read flaws in the bundled copy of expat
which
could cause httpd to crash while parsing specially-crafted
XML documents.
does this mean that if I have apache compiled with external
apr-util-1.3.10 and external expat, I am safe?
Unless that external expat is the same version as the bundled copy.
It seems there
http://svn.apache.org/viewvc?view=revision&revision=1002628
contains additional expat fixes, which have not been released as part of
expat. Apr-Util conains expat 1.95.7 with those fixes added. There
exists 1.95.8, but that doesn't seem to contain them. I don't know
whether 1.95.8 or 2.0.1 are vulnerable or not.
Concerning the split brigade fix, note that a similar problem has been
fixed in the module mod_reqtimeout. This module is relatively young, so
not many configurations already activate it.
Regards,
Rainer
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org