On 10/20/2010 1:44 AM, Matus UHLAR - fantomas wrote: > On 19.10.10 11:27, William A. Rowe Jr. wrote: >> Subject: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released > >> The Apache Software Foundation and the Apache HTTP Server Project are >> pleased to announce the release of version 2.2.17 of the Apache HTTP >> Server ("Apache"). This version of Apache is principally a bug fix >> release, and a security fix release of the APR-util 1.3.10 dependency; >> >> * SECURITY: CVE-2010-1623 (cve.mitre.org) >> Fix a denial of service attack against apr_brigade_split_line(). >> >> * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) >> Fix two buffer over-read flaws in the bundled copy of expat which >> could cause httpd to crash while parsing specially-crafted >> XML documents. > > does this mean that if I have apache compiled with external > apr-util-1.3.10 and external expat, I am safe? >From these two flaws? Only if your external expat is also up-to-date, refer that question to the expat community. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx