IPv6 URI parsing can cause crash CAN-2004-0786 Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. One some BSD systems it is believed this flaw may be able to lead to remote code execution. Affects: 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 Environment variable expansion flaw CAN-2004-0747 The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain the privileges of a httpd child if a server can be forced to parse a carefully crafted .htaccess file written by a local user. Affects: 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 --- Patches are here: http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/
No, not again... Stuart : a 2.0.51 ebuild would be nice :)
Done. Might as well combine this w/ 62626 tbh now. Best regards, Stu
stable marking being handled in bug #62626
GLSA 200409-21