On 20.10.2010 11:47, Igor GaliÄ wrote:
----- "Matus UHLAR - fantomas"<uhlar@xxxxxxxxxxx> wrote:On 19.10.10 11:27, William A. Rowe Jr. wrote:Subject: [announce] Apache HTTP Server 2.2.17 and 2.0.64 ReleasedThe Apache Software Foundation and the Apache HTTP Server Projectarepleased to announce the release of version 2.2.17 of the ApacheHTTPServer ("Apache"). This version of Apache is principally a bugfixrelease, and a security fix release of the APR-util 1.3.10dependency;* SECURITY: CVE-2010-1623 (cve.mitre.org) Fix a denial of service attack againstapr_brigade_split_line().* SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expatwhichcould cause httpd to crash while parsing specially-crafted XML documents.does this mean that if I have apache compiled with external apr-util-1.3.10 and external expat, I am safe?Unless that external expat is the same version as the bundled copy.
It seems there http://svn.apache.org/viewvc?view=revision&revision=1002628contains additional expat fixes, which have not been released as part of expat. Apr-Util conains expat 1.95.7 with those fixes added. There exists 1.95.8, but that doesn't seem to contain them. I don't know whether 1.95.8 or 2.0.1 are vulnerable or not.
Concerning the split brigade fix, note that a similar problem has been fixed in the module mod_reqtimeout. This module is relatively young, so not many configurations already activate it.
Regards, Rainer --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|