Summary: | New ebuild needed for apache-2.0.48 which has 2 security fixes | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Haroon Rafique <corporate_gadfly> |
Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | blocker | CC: | rajiv, security, web-apps |
Priority: | High | Keywords: | SECURITY |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 29893, 32366 | ||
Attachments: | apache init patch |
Description
Haroon Rafique
2003-10-29 07:02:48 UTC
I will add this tonight. Stu -- if I add 2.0.48 un-arch-masked into the tree, then we'll be on the new --datadir from here on. That's ok with you you? I would prefer Apache related bugs to be assigned to the Apache web-apps herd. If its security related, add security@g.o to the CC list. Needless to say I didnt check it in yet, but do have it finished over here and will commit tomorrow; got sidetracked by a segfaulting mod_php. Donny - that's okay with me. Stu Donny, Please reassign back to security@ and change "Product:" to "Gentoo GLSA" when we are all good to go.. Thanks This is a real song and dance we have going on here. 2.0.48 is 'x86' and in-the-tree. Created attachment 19986 [details, diff]
apache init patch
bah -- the above patch fixes a bug with the init script that causes apache to fail to start with the following error: env: start-stop-daemon: No such file or directory [!!] marking as blocker. Oops, yes you're right; fixed. Donny, I just did a cvs update and noticed that it's not quite right yet. env -i /sbin/start-stop-daemon should be env -i PATH=$PATH /sbin/start-stop-daemon Is it really broken? Please update it if you wish, but its "workingforme". please add --retry 5 like in mysql: start-stop-daemon --stop --retry 5 --quiet just fixed the init scripts (with solar's PATH=$PATH) in cvs. to-do in comment #12 moved to bug #32366. GLSA 200310-04 sent as: --------------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200310-04 --------------------------------------------------------------------------- PACKAGE : net-www/apache SUMMARY : buffer overflow DATE : Fri Oct 31 07:59:00 UTC 2003 EXPLOIT : local VERSIONS AFFECTED : <apache-2.0.48 FIXED VERSION : >=apache-2.0.48 GENTOO BUG : http://bugs.gentoo.org/show_bug.cgi?id=32271 CVE : CAN-2003-0789 CAN-2003-0542 --------------------------------------------------------------------------- Quote from <http://www.apache.org/dist/httpd/Announcement2.html>: This version of Apache is principally a bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.48 addresses two security vulnerabilities: mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. [CAN-2003-0789] A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9 captures is configured. [CAN-2003-0542] This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade. SOLUTION It is recommended that all Gentoo Linux users who are running net-misc/apache 2.x upgrade: emerge sync emerge '>=net-www/apache-2.0.48' emerge clean Please remember to update your config files in /etc/apache2 as --datadir has been changed to /var/www/localhost. Note that a forthcoming GLSA-200310-03 will address similar issues in Apache 1.x. // end |