I'm running 2.2.4 and I've been told I need to manually tweak mod_rewrite.c to fix CVE-2007-3008. I can't find any mention of this bug in the bug list.
Here's my info:
Server version: Apache/2.2.4 (Unix)
Server built: Jun 8 2007 08:19:28
Server's Module Magic Number: 20051115:4
Server loaded: APR 1.2.8, APR-Util 1.2.8
Compiled using: APR 1.2.8, APR-Util 1.2.8
Architecture: 32-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped
addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/apps/apache/httpd-2.2.4"
-D SUEXEC_BIN="/apps/apache/httpd-2.2.4/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="logs/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
Does anyone know if this bug has been antiquated by a higher version of 2 or by a bugfix? I checked the changelog, but, I didn't see anything.
Thanks,
John
