A recent GLSA security announcement sent to the Gentoo mailing lists suggests that all users running <=apache-2.0.42 upgrade their copy. However, the new ebuild (apache-2.0.43) is marked as experimental (i.e. KEYWORDS="~x86 ~ppc") so only people opting to install experimental packages will be able to update.
Is anything going to happen about this bug? AFAICS it's quite major: there may be many people with an insecure version of Apache, despite following the instructions in the security announcement (since 'emerge apache' will not pick up the fixed one unless you have experimental ebuilds turned on). If Apache 2.0.43 works properly, surely all that needs to be done is to change the KEYWORDS line in net-www/apache-2.0.43.ebuild? Is there any reason why this hasn't been done yet?
Sorry for the delayed answer. This update for apache concerns only the version 2 of apache (apache-2.x). The older version 1 (apache-1.x) is not vulnerable to the exploits described or has has already been updated to a safe version. I'm sorry if this was not clear in the GLSA.
Sorry - perhaps you misunderstand me. When the GLSA notice arrived, I was running apache-2.0.42 (having unmasked it manually by editing packages.mask). The update method suggested in the GLSA didn't work (even after manually unmasking >=apache-2.0.0 again), since apache-2.0.43 was marked experimental (i.e. that ebuild contains the line 'KEYWORDS="~x86 ~ppc"', so this ebuild will not install unless I set ACCEPT_KEYWORDS="~x86" in my make.conf). My point is that if apache-2.0.43 is a major security update, why does it have KEYWORDS="~x86 ~ppc" rather than KEYWORDS="x86 ppc"? Or is it assumed that people who unmask it manually will also have their make.conf set to accept experimental ebuilds (~x86 etc.)?
I didn't create the ebuild myself, so I can't answer why the ebuild had "~" in it. I've updated the ebuild.
