Summary: | www-servers/apache-2.2.17: Version bump | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Hanno Böck <hanno> |
Component: | Current packages | Assignee: | Apache Team - Bugzilla Reports <apache-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | ago, attila.jecs, binki, bug, candrews, chris, jaak, joel, karl, orzel, pawelj |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://www.apache.org/dist/httpd/CHANGES_2.2.17 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 347782, 354297 | ||
Attachments: |
apache-2.2.17.ebuild
tarball for apache-2.2.17 |
Description
Hanno Böck
2010-10-21 18:47:38 UTC
http://www.apache.org/dist/httpd/Announcement2.2.html lists three security fixes. * CVE-2010-1623: Fix a denial of service attack against apr_brigade_split_line(). * CVE-2009-3560, CVE-2009-3720: Fix two buffer over-read flaws in the bundled copy of expat which could cause applications to crash while parsing specially-crafted XML documents. The apache-2.2.16 ebuild does appear to bundle vulnerable versions of apr-util and expat. (In reply to comment #1) > The apache-2.2.16 ebuild does appear to bundle vulnerable versions of apr-util > and expat. No. www-servers/apache doesn't use any bundled libraries. Bump the version anyway :-) Any progress regarding this version bump? @apache There are reasons why there is a delay of three months of this bump in tree? Dropping if it was not focussed on a possible security bug, I think that it is important software and a bump has priority 2.2.17 released almost 4 months ago... listed as security and bugfix release Created attachment 261943 [details]
apache-2.2.17.ebuild
Experimental ebuild for Apache-2.2.17, works here, no guarantees. Requires the tarball (just re-rolled the current gentoo patchset with no internal changes) which I will also upload, plus you must also bump app-admin/apache-tools-2.2.17 (I used a simple rename in my local portage dir).
Created attachment 261949 [details]
tarball for apache-2.2.17
place this tarball in distfiles for apache-2.2.17
Bump is needed ASAP. *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] ~amd64 systems with Apache 2.2.16-r1 + glibc 2.13 can't use mod_ssl now. yes, please add it to the tree, i can't use ssl. or next time hold back app-breaking updates of glibc thx. ~amd64/no-multilib I can confirm that this build appears to fix my own ssl problems (amd64). Is there an eta on actually releasing it? (In reply to comment #11) > I can confirm that this build appears to fix my own ssl problems (amd64). Is > there an eta on actually releasing it? > I'll amend that, the bug is still there just less pervasive. (In reply to comment #12) > (In reply to comment #11) > > I can confirm that this build appears to fix my own ssl problems (amd64). Is > > there an eta on actually releasing it? > > > > I'll amend that, the bug is still there just less pervasive. > drat, turns out you also nee apache-tools-2.2.17 to install this, missed that. When can we expect to add this version to the tree? 2.2.17 in portage |