You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Matus UHLAR - fantomas <uh...@fantomas.sk> on 2010/10/20 08:44:43 UTC
[users@httpd] Re: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
On 19.10.10 11:27, William A. Rowe Jr. wrote:
> Subject: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
> The Apache Software Foundation and the Apache HTTP Server Project are
> pleased to announce the release of version 2.2.17 of the Apache HTTP
> Server ("Apache"). This version of Apache is principally a bug fix
> release, and a security fix release of the APR-util 1.3.10 dependency;
>
> * SECURITY: CVE-2010-1623 (cve.mitre.org)
> Fix a denial of service attack against apr_brigade_split_line().
>
> * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
> Fix two buffer over-read flaws in the bundled copy of expat which
> could cause httpd to crash while parsing specially-crafted
> XML documents.
does this mean that if I have apache compiled with external
apr-util-1.3.10 and external expat, I am safe?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: [announce] Apache HTTP Server 2.2.17 and 2.0.64
Released
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 10/21/2010 2:50 AM, Matus UHLAR - fantomas wrote:
>
> I see. Unfortunately, I haven't seen bundled expat version in the announce.
> And luckily, my version is patched.
That is a miscommunication. Something we hope to remedy in 2.4/3.0 by
unbundling sources that are 'not invented here'.
Glad that you are running an (unreleased) expat from your os vendor!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: [announce] Apache HTTP Server 2.2.17 and
2.0.64 Released
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > On 19.10.10 11:27, William A. Rowe Jr. wrote:
> >> * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
> >> Fix two buffer over-read flaws in the bundled copy of expat which
> >> could cause httpd to crash while parsing specially-crafted
> >> XML documents.
> On 10/20/2010 1:44 AM, Matus UHLAR - fantomas wrote:
> > does this mean that if I have apache compiled with external
> > apr-util-1.3.10 and external expat, I am safe?
On 20.10.10 15:05, William A. Rowe Jr. wrote:
> From these two flaws? Only if your external expat is also up-to-date, refer
> that question to the expat community.
I see. Unfortunately, I haven't seen bundled expat version in the announce.
And luckily, my version is patched.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: [announce] Apache HTTP Server 2.2.17 and 2.0.64
Released
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 10/20/2010 1:44 AM, Matus UHLAR - fantomas wrote:
> On 19.10.10 11:27, William A. Rowe Jr. wrote:
>> Subject: [announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
>
>> The Apache Software Foundation and the Apache HTTP Server Project are
>> pleased to announce the release of version 2.2.17 of the Apache HTTP
>> Server ("Apache"). This version of Apache is principally a bug fix
>> release, and a security fix release of the APR-util 1.3.10 dependency;
>>
>> * SECURITY: CVE-2010-1623 (cve.mitre.org)
>> Fix a denial of service attack against apr_brigade_split_line().
>>
>> * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
>> Fix two buffer over-read flaws in the bundled copy of expat which
>> could cause httpd to crash while parsing specially-crafted
>> XML documents.
>
> does this mean that if I have apache compiled with external
> apr-util-1.3.10 and external expat, I am safe?
>From these two flaws? Only if your external expat is also up-to-date, refer
that question to the expat community.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org