Some vulnerabilities have been acknowledged in Apache, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and by malicious people to conduct cross-site scripting attacks. For more information: SA25830 Solution: Fixed in version 1.3.38-dev, 2.0.60-dev, and 2.2.5-dev. Provided and/or discovered by: Originally reported in a Red Hat advisory. Original Advisory: http://httpd.apache.org/security/vulnerabilities_13.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html Other References: SA25830: http://secunia.com/advisories/25830/ Reproducible: Always
backports for 2.2.4 are in svn and will be included in apache-2.2.4-r11 which is scheduled for stabilization in roughly 2-3 weeks. no backports for 2.0.x
2.2.4-r11 is in cvs now
is security going to issue a GLSA or can we close this bug once apache-2.2 is stable?
(In reply to comment #1) > no backports for 2.0.x > What's the reason for not having a fixed 2.0.x ebuild? At least some authentication modules changed from 2.0 to 2.2, so I'd prefer to not bite users with this upgrade for security reasons.
We're probably going to have a vote about GLSA release. Is 2.2.4-r11 ready for stable marking?
(In reply to comment #4) > (In reply to comment #1) > > no backports for 2.0.x > > > > What's the reason for not having a fixed 2.0.x ebuild? At least some > authentication modules changed from 2.0 to 2.2, so I'd prefer to not bite users > with this upgrade for security reasons. > *ping*
(In reply to comment #4) > (In reply to comment #1) > > no backports for 2.0.x > > > > What's the reason for not having a fixed 2.0.x ebuild? At least some > authentication modules changed from 2.0 to 2.2, so I'd prefer to not bite users > with this upgrade for security reasons. > after a lengthy svn search, i have added fixes for all CVEs for 2.0.59-r3 (there are four, one is not listed on the vuln page, but fixed in svn) .. should be on the mirrors soon, and can be scheduled for stabilization, 2.2 stabilization will probably wait for 2.2.5, it will be released RSN and contains all fixes ...
FYI, according to http://www.xatrix.org/cve.php?s=38514 the CVE for the fourth issue seems unavailable currently...
unfortunately 2.0.59-r3 is completely broken since phreak backported config changes, but not ebuild changes, causing quite a mess right now...
(In reply to comment #9) > unfortunately 2.0.59-r3 is completely broken since phreak backported config > changes, but not ebuild changes, causing quite a mess right now... > what exactly does that mean? what will happen when I upgrade from -r2 to -r3?
please use -r4, that has been fixed, and will go stable
2.0.61 and 2.2.6 in cvs now, fixes another security issue with 2.2.4-r12, see #186219 and #191603
this is also handled by 186219 *** This bug has been marked as a duplicate of bug 186219 ***