I've added net-www/apache-2.0.52 to the Portage tree. This package includes an additional patch to address security issue CAN-2004-0885. It's ready for testing and marking stable on all arches. My thanks to Paul Querna <pquerna@apache.org> for letting us know about this. Best regards, Stu
Arches: please mark net-www/apache-2.0.52 stable :)
Stable on sparc.
Stable on alpha.
stable on ppc
stable on ppc64, thanks!
arm/hppa/ia64/s390 stable
x86, amd64: please mark stable so that the GLSA can go out.
x86 stable..
Stable on mips.
apache herd, mod_ssl seems vulnerable to this too and version 2.8.20 is out to fix this CHANGES entry for this version: Changes with mod_ssl 2.8.20 (16-Jul-2004 to 15-Oct-2004) *) With OpenSSL 0.9.7, prevent session resumption during a renegotiation to force the client to negotiate a new (and acceptable to mod_ssl) cipher suite. Additionally, ensure that a correct cipher suite has been negotiated afterwards (CAN-2004-0885). *) Fixed more printf(3) style format string bugs (not security related) which could crash the server if mod_ssl's trace or debug log level is enabled ___ http://secunia.com/advisories/12847/ VE reference: CAN-2004-0885 Description: Hartmut Keil has reported a security issue in mod_ssl, which can be exploited by malicious people to bypass certain security restrictions. For more information: SA12787 Solution: Update to version 2.8.20-1.3.31. http://www.modssl.org/ Provided and/or discovered by: Hartmut Keil
*** Bug 67711 has been marked as a duplicate of this bug. ***
removing amd64 since apache is all done already, thanks Kugelfang :-) any progress on an updated mod_ssl ebuild?
Apache team, please bump mod_ssl to 2.8.20...
mod_ssl-2.8.20 is now in cvs.
mod_ssl-2.8.20 marked stable by maintainer. marking glsa bug-ready.
GLSA 200410-21