On 5/24/2012 12:05 PM, Luke Lozier wrote: > One of the PCI scanning companies is demanding an upgrade to 2.4.2 due to the issues > described in this CVE: > > Changes with Apache 2.2.23 > > *) SECURITY: CVE-2012-0883 (cve.mitre.org <http://cve.mitre.org>) > envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the > current working directory to be searched for DSOs. [Stefan Fritsch] > > Is there any idea when 2.2.23 will be released? I'd rather not upgrade to 2.4.2 Modify your installed envvars (and envvars-std) script and apachectl (or equivilant script provided by your application vendor) to ensure that this code is changed; @@ -18,6 +18,10 @@ # # This file is generated from envvars-std.in # -LD_LIBRARY_PATH="/path/to/httpd/lib:$LD_LIBRARY_PATH" +if test "x$LD_LIBRARY_PATH" != "x" ; then + LD_LIBRARY_PATH="/path/to/httpd/lib:$LD_LIBRARY_PATH" +else + LD_LIBRARY_PATH="/path/to/httpd/lib" +fi export LD_LIBRARY_PATH # On oddball platforms this may be LIBPATH or SHLIB_PATH instead of LD_LIBRARY_PATH. If your platform's apachectl script invokes envvars, you are done. If it doesn't, there may be an insecure LD_LIBRARY_PATH assignment, just use the example above. Upgrading for this defect is frankly silly, although effective. There is no planned date yet for 2.2.23 although it will come along sometime in the not too distant future. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|