public inbox for gentoo-announce@lists.gentoo.org
 help / color / mirror / Atom feed
From: Rajiv Aaron Manglani <rajiv@gentoo.org>
To: gentoo-announce@gentoo.org
Subject: [gentoo-announce] GLSA:  apache (200310-04)
Date: Fri, 31 Oct 2003 03:54:03 -0500	[thread overview]
Message-ID: <a0521060dbbc7d3a17113@[10.96.0.12]> (raw)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-04
- ---------------------------------------------------------------------------

          PACKAGE : net-www/apache
          SUMMARY : buffer overflow
             DATE : Fri Oct 31 07:59:00 UTC 2003
          EXPLOIT : local
VERSIONS AFFECTED : <apache-2.0.48
    FIXED VERSION : >=apache-2.0.48
       GENTOO BUG : http://bugs.gentoo.org/show_bug.cgi?id=32271
              CVE : CAN-2003-0789 CAN-2003-0542

- ---------------------------------------------------------------------------

Quote from <http://www.apache.org/dist/httpd/Announcement2.html>:

    This version of Apache is principally a bug fix release. A summary of
    the bug fixes is given at the end of this document. Of particular note
    is that 2.0.48 addresses two security vulnerabilities:

    mod_cgid mishandling of CGI redirect paths could result in CGI output
    going to the wrong client when a threaded MPM is used.
    [CAN-2003-0789]
    
    A buffer overflow could occur in mod_alias and mod_rewrite when a
    regular expression with more than 9 captures is configured.
    [CAN-2003-0542]
    
    This release is compatible with modules compiled for 2.0.42 and later
    versions. We consider this release to be the best version of Apache
    available and encourage users of all prior versions to upgrade.


SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/apache 2.x upgrade:

emerge sync
emerge '>=net-www/apache-2.0.48'
emerge clean

Please remember to update your config files in /etc/apache2
as --datadir has been changed to /var/www/localhost.

Note that a forthcoming GLSA-200310-03 will address similar issues
in Apache 1.x.


// end

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/ohjbnt0v0zAqOHYRAlmaAJ0cLO512mWAXfUP5I/2HZGx0FI3dgCgmPlv
KSJYnPXDC4WjlleSR+mo2Go=
=oy6h
-----END PGP SIGNATURE-----


                 reply	other threads:[~2003-10-31  8:56 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='a0521060dbbc7d3a17113@[10.96.0.12]' \
    --to=rajiv@gentoo.org \
    --cc=gentoo-announce@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox