[gentoo-announce] GLSA: apache (200310-04) - gentoo-announce

From:	Rajiv Aaron Manglani <rajiv@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] GLSA: apache (200310-04)
Date:	Fri, 31 Oct 2003 08:56:24
Message-Id:	`a0521060dbbc7d3a17113@[10.96.0.12]`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

5

- ---------------------------------------------------------------------------

6

GENTOO LINUX SECURITY ANNOUNCEMENT 200310-04

7

- ---------------------------------------------------------------------------

8

9

          PACKAGE : net-www/apache

10

          SUMMARY : buffer overflow

11

             DATE : Fri Oct 31 07:59:00 UTC 2003

12

          EXPLOIT : local

13

VERSIONS AFFECTED : <apache-2.0.48

14

    FIXED VERSION : >=apache-2.0.48

15

       GENTOO BUG : http://bugs.gentoo.org/show_bug.cgi?id=32271

16

              CVE : CAN-2003-0789 CAN-2003-0542

17

18

- ---------------------------------------------------------------------------

19

20

Quote from <http://www.apache.org/dist/httpd/Announcement2.html>:

21

22

    This version of Apache is principally a bug fix release. A summary of

23

    the bug fixes is given at the end of this document. Of particular note

24

    is that 2.0.48 addresses two security vulnerabilities:

25

26

    mod_cgid mishandling of CGI redirect paths could result in CGI output

27

    going to the wrong client when a threaded MPM is used.

28

    [CAN-2003-0789]

29

30

    A buffer overflow could occur in mod_alias and mod_rewrite when a

31

    regular expression with more than 9 captures is configured.

32

    [CAN-2003-0542]

33

34

    This release is compatible with modules compiled for 2.0.42 and later

35

    versions. We consider this release to be the best version of Apache

36

    available and encourage users of all prior versions to upgrade.

37

38

39

SOLUTION

40

41

It is recommended that all Gentoo Linux users who are running

42

net-misc/apache 2.x upgrade:

43

44

emerge sync

45

emerge '>=net-www/apache-2.0.48'

46

emerge clean

47

48

Please remember to update your config files in /etc/apache2

49

as --datadir has been changed to /var/www/localhost.

50

51

Note that a forthcoming GLSA-200310-03 will address similar issues

52

in Apache 1.x.

53

54

55

// end

56

57

-----BEGIN PGP SIGNATURE-----

58

Version: GnuPG v1.2.3 (Darwin)

59

60

iD8DBQE/ohjbnt0v0zAqOHYRAlmaAJ0cLO512mWAXfUP5I/2HZGx0FI3dgCgmPlv

61

KSJYnPXDC4WjlleSR+mo2Go=

62

=oy6h

63

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4
5	- ---------------------------------------------------------------------------
6	GENTOO LINUX SECURITY ANNOUNCEMENT 200310-04
7	- ---------------------------------------------------------------------------
8
9	PACKAGE : net-www/apache
10	SUMMARY : buffer overflow
11	DATE : Fri Oct 31 07:59:00 UTC 2003
12	EXPLOIT : local
13	VERSIONS AFFECTED : <apache-2.0.48
14	FIXED VERSION : >=apache-2.0.48
15	GENTOO BUG : http://bugs.gentoo.org/show_bug.cgi?id=32271
16	CVE : CAN-2003-0789 CAN-2003-0542
17
18	- ---------------------------------------------------------------------------
19
20	Quote from <http://www.apache.org/dist/httpd/Announcement2.html>:
21
22	This version of Apache is principally a bug fix release. A summary of
23	the bug fixes is given at the end of this document. Of particular note
24	is that 2.0.48 addresses two security vulnerabilities:
25
26	mod_cgid mishandling of CGI redirect paths could result in CGI output
27	going to the wrong client when a threaded MPM is used.
28	[CAN-2003-0789]
29
30	A buffer overflow could occur in mod_alias and mod_rewrite when a
31	regular expression with more than 9 captures is configured.
32	[CAN-2003-0542]
33
34	This release is compatible with modules compiled for 2.0.42 and later
35	versions. We consider this release to be the best version of Apache
36	available and encourage users of all prior versions to upgrade.
37
38
39	SOLUTION
40
41	It is recommended that all Gentoo Linux users who are running
42	net-misc/apache 2.x upgrade:
43
44	emerge sync
45	emerge '>=net-www/apache-2.0.48'
46	emerge clean
47
48	Please remember to update your config files in /etc/apache2
49	as --datadir has been changed to /var/www/localhost.
50
51	Note that a forthcoming GLSA-200310-03 will address similar issues
52	in Apache 1.x.
53
54
55	// end
56
57	-----BEGIN PGP SIGNATURE-----
58	Version: GnuPG v1.2.3 (Darwin)
59
60	iD8DBQE/ohjbnt0v0zAqOHYRAlmaAJ0cLO512mWAXfUP5I/2HZGx0FI3dgCgmPlv
61	KSJYnPXDC4WjlleSR+mo2Go=
62	=oy6h
63	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce