Bug#240100: apache2: multiple security vulnerabilities fixed in new upstream release
Package: apache2
Severity: grave
Apache2 2.0.49 fixes a few security bugs:
SECURITY: CAN-2004-0174 (cve.mitre.org) Fix starvation issue on
listening sockets where a short-lived connection on a rarely-accessed
listening socket will cause a child to hold the accept mutex and block
out new connections until another connection arrives on that
rarely-accessed listening socket. With Apache 2.x there is no
performance concern about enabling the logic for platforms which don't
need it, so it is enabled everywhere except for Win32. [Jeff Trawick]
SECURITY: CAN-2004-0113 (cve.mitre.org) mod_ssl: Fix a memory leak in
plain-HTTP-on-SSL-port handling. PR 27106. [Joe Orton]
SECURITY: CAN-2003-0020 (cve.mitre.org) Escape arbitrary data before
writing into the errorlog. Unescaped errorlogs are still possible using
the compile time switch "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey
Young, Andre Malo]
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.4-1-k7
Locale: LANG=C, LC_CTYPE=C
Reply to: