from http://httpd.apache.org/dev/dist/Announcement Apache 1.3.29 Major changes Security vulnerabilities * CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures.
There's a thread on the mod_ssl user mailing list that suggests the existing mod_ssl may work with apache 1.3.29 Noted there is mod_ssl 2.8.15 works fine with Apache 1.3.29 http://marc.theaimsgroup.com/?t=106743763400003&r=1&w=2
waiting for tomorrow 2.8.16-apache-1.3.29 will be release
1.3.29 is in cvs
ok I just bumped the mod_ssl to version mod_ssl-2.8.16 as ~arch A GLSA can go out for this after some testing has been done. Please test so it can be marked x86 (not ~arch) ASAP
I'm not sure this hepls, but just merged net-www/apache-1.3.29-r1 and net-www/mod_ssl-2.8.16 on 2 internal servers and on 2 production servers and no poblems were encountered. new confs were not used during testing. tested stuff: mod_php4, mod_ssl, mod_setenvif, mod_auth, mod_access, mod_rewrite, mod_alias, mod_actions, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_mime, mod_log_config
GLSA 200310-03 sent ... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200310-03 - --------------------------------------------------------------------------- PACKAGE : net-www/apache SUMMARY : buffer overflow DATE : Tue Oct 28 16:43:46 UTC 2003 EXPLOIT : local VERSIONS AFFECTED : <apache-1.3.29 FIXED VERSION : >=apache-1.3.29 CVE : CAN-2003-0542 (under review at time of GLSA) - --------------------------------------------------------------------------- Quote from <http://httpd.apache.org/dev/dist/Announcement>: This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of this document. A full listing of changes can be found in the CHANGES file. Of particular note is that 1.3.29 addresses and fixes 1 potential security issue: o CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. We consider Apache 1.3.29 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family. SOLUTION It is recommended that all Gentoo Linux users who are running net-misc/apache 1.x upgrade: emerge sync emerge -pv apache emerge '>=net-www/apache-1.3.29' emerge clean /etc/init.d/apache restart // end -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/vGZWnt0v0zAqOHYRAnnUAKCf7j5ZciPl2A/lfT2G6re9L0ZjugCfQGYk RyV+5R/BFsdAzsMYZp9dT8A= =ym4e -----END PGP SIGNATURE-----