John Iliffe schrieb:
On Thursday 24 May 2012 13:05:10 Luke Lozier wrote:
One of the PCI scanning companies is demanding an upgrade to 2.4.2 due to the issues described in this CVE: Changes with Apache 2.2.23 *) SECURITY: CVE-2012-0883 (cve.mitre.org) envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the current working directory to be searched for DSOs. [Stefan Fritsch] Is there any idea when 2.2.23 will be released? I'd rather not upgrade to 2.4.2
I got caught the same way in March (re PCI scanning). Guess my guy is more up to date than yours! There should be no reason that I found not to update to 2.4.2 BUT BE CAREFUL OF THE CONFIG FILE CHANGES! For example the "order deny allow" format directives no longer work in 2.4.*. There are a few other changes. Also, do not be tempted to update to PHP 5.4.0 as it will cause segfaults in all the child processes for reasons that escape me completely. Use a 5.3.x version. This may be my problem but someone on this list was able to confirm the issue and said that it is a PHP issue. It may be resolved by now.
That's a little bit unclear. In their release announcement they said it is fixed "Fixed bug #61172 (Add Apache 2.4 support)." <http://www.php.net/archive/2012.php#id2012-04-26-1> But in the changelog #61172 is only listed for 5.3.11, but not for 5.4.1. Hendrik --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|