http://httpd.apache.org/security/vulnerabilities_20.html Fixed in Apache httpd 2.0.59 important: mod_rewrite off-by-one error CVE-2006-3747 An off-by-one flaw exists in the Rewrite module, mod_rewrite. Depending on the manner in which Apache httpd was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. Update Released: 27th July 2006 Affects: 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46 --- http://httpd.apache.org/security/vulnerabilities_13.html Fixed in Apache httpd 1.3.37 important: mod_rewrite off-by-one error CVE-2006-3747 An off-by-one flaw exists in the Rewrite module, mod_rewrite. Depending on the manner in which Apache httpd was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. Update Released: 27th July 2006 Affects: 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28 --- http://httpd.apache.org/security/vulnerabilities_22.html Fixed in Apache httpd 2.2.3 important: mod_rewrite off-by-one error CVE-2006-3747 An off-by-one flaw exists in the Rewrite module, mod_rewrite. Depending on the manner in which Apache httpd was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. Update Released: 27th July 2006 Affects: 2.2.2, 2.2.0
Patched versions of 2.0.58, 1.3.34, and 2.2.2 that address this issue are now in CVS. Full version bumps that include the other features of the new versions will come this weekend. Please have the remaining archs mark stable the following: net-www/apache-2.0.58-r2 new-www/apache-1.3.34-r14 (2.2.x line is still p.masked so we do not want stable marking there yet)
arches please test and mark stable if possible
*** Bug 141763 has been marked as a duplicate of this bug. ***
marked stable on alpha by kloeri -> removing alpha from CC: -> changing status to [glsa] 29 Jul 2006; Bryan
marked stable on alpha by kloeri -> removing alpha from CC: -> changing status to [glsa] 29 Jul 2006; Bryan Ã<98>stergaard <kloeri@gentoo.org> apache-1.3.34-r14.ebuild, apache-2.0.58-r2.ebuild: Stable on alpha.
GLSA 200608-01 thanks everyone