Apache 2.0.55 is released, fixing several vulnerabilites, some of them already fixed in portage: - CAN-2005-2088 already fixed in bug 98358 - CAN-2005-2491 already fixed in bug 103554 - CAN-2005-2700 already fixed in bug 104807 - CAN-2005-2728 already fixed in bug 102991 No bugzilla entry found for those vulnerabilities: - No CAN proxy_http: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection. - CAN-2005-1268 mod_ssl: Fix off-by-one overflow whilst printing CRL information at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL. (reported earlier, delayed upstream until this release: see bug 100389)
(In reply to comment #0) > No bugzilla entry found for those vulnerabilities: > > - No CAN > proxy_http: If a response contains both Transfer-Encoding and a > Content-Length, remove the Content-Length and don't reuse the > connection. This is bug 98358. > - CAN-2005-1268 > mod_ssl: Fix off-by-one overflow whilst printing CRL information > at "LogLevel debug" which could be triggered if configured > to use a "malicious" CRL. > (reported earlier, delayed upstream until this release: see bug 100389) There is only this one left, and we dismissed it. Resolving as dupe of bug 98358. *** This bug has been marked as a duplicate of 98358 ***
There won't be a 2.0.55 in portage?
Yes there will, but not for security reasons (current stable is just fine). Feel free to open another bug for this (or reopen this one and assign it to the apache team and remove the Gentoo Security product).
Reopening for apache version bump.
Hello. It would be really nice to release an apache 2.0.55 ebuild soon because of this bug: http://issues.apache.org/bugzilla/show_bug.cgi?id=15207 regards t.
I would like that as well, since 2.0.55 fixes the following bug: http://issues.apache.org/bugzilla/show_bug.cgi?id=34618
2.0.55 is in CVS.