apache webpage lists it as a security update, though not citing which changes are security relevant. According to http://www.apache.org/dist/httpd/CHANGES_2.2.17 These sound like possibly security relevant: *) core: check symlink ownership if both FollowSymlinks and SymlinksIfOwnerMatch are set [Nick Kew] *) rotatelogs: Fix possible buffer overflow if admin configures a mongo log file path. [Jeff Trawick] *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton]
http://www.apache.org/dist/httpd/Announcement2.2.html lists three security fixes. * CVE-2010-1623: Fix a denial of service attack against apr_brigade_split_line(). * CVE-2009-3560, CVE-2009-3720: Fix two buffer over-read flaws in the bundled copy of expat which could cause applications to crash while parsing specially-crafted XML documents. The apache-2.2.16 ebuild does appear to bundle vulnerable versions of apr-util and expat.
(In reply to comment #1) > The apache-2.2.16 ebuild does appear to bundle vulnerable versions of apr-util > and expat. No. www-servers/apache doesn't use any bundled libraries.
Bump the version anyway :-)
Any progress regarding this version bump?
@apache There are reasons why there is a delay of three months of this bump in tree? Dropping if it was not focussed on a possible security bug, I think that it is important software and a bump has priority
2.2.17 released almost 4 months ago... listed as security and bugfix release
Created attachment 261943 [details] apache-2.2.17.ebuild Experimental ebuild for Apache-2.2.17, works here, no guarantees. Requires the tarball (just re-rolled the current gentoo patchset with no internal changes) which I will also upload, plus you must also bump app-admin/apache-tools-2.2.17 (I used a simple rename in my local portage dir).
Created attachment 261949 [details] tarball for apache-2.2.17 place this tarball in distfiles for apache-2.2.17
Bump is needed ASAP. *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] ~amd64 systems with Apache 2.2.16-r1 + glibc 2.13 can't use mod_ssl now.
yes, please add it to the tree, i can't use ssl. or next time hold back app-breaking updates of glibc thx. ~amd64/no-multilib
I can confirm that this build appears to fix my own ssl problems (amd64). Is there an eta on actually releasing it?
(In reply to comment #11) > I can confirm that this build appears to fix my own ssl problems (amd64). Is > there an eta on actually releasing it? > I'll amend that, the bug is still there just less pervasive.
(In reply to comment #12) > (In reply to comment #11) > > I can confirm that this build appears to fix my own ssl problems (amd64). Is > > there an eta on actually releasing it? > > > > I'll amend that, the bug is still there just less pervasive. > drat, turns out you also nee apache-tools-2.2.17 to install this, missed that.
When can we expect to add this version to the tree?
2.2.17 in portage