[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

apache security issue (with upstream new release)

Hi list,

 Do you know about apache security issue?

 apache 1.3.29 release announcement is here.
 http://www.apache.org/dist/httpd/Announcement.txt

 this apache 1.3 release includes security fix.

>                     Apache 1.3.29 Major changes
>
>  Security vulnerabilities
>
>     * CAN-2003-0542 (cve.mitre.org)
>       Fix buffer overflows in mod_alias and mod_rewrite which occurred if
>       one configured a regular expression with more than 9 captures.


 apache 2.0.48 release announcement is here.
 http://www.apache.org/dist/httpd/Announcement2.txt
 
 and apache 2.0.48 also includes security fix.

>                       Apache 2.0.48 Major changes
>
>   Security vulnerabilities closed since Apache 2.0.47
>
>    *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
>       the AF_UNIX socket used to communicate with the cgid daemon and
>       the CGI script.  [Jeff Trawick]
>
>    *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and
>       mod_rewrite which occurred if one configured a regular expression
>       with more than 9 captures.  [Andre' Malo]


 and I want to know how it goes in Debian. I cannot find any posts
 in BTS and debian-apache lists.

 # and when I posted apache 2.0.47 release announce with vulnerabitliy
   issue to BTS, maintainer said "Kindly don't submit "new version"
   bugs with in about 10 minutes of the release. It's childish and 
   unhelpful." 
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=200593&archive=yes

   so I don't want to post it to BTS...
-- 
Regards,

 Hideki Yamane    mailto:henrich @ iijmio-mail.jp
Reply to: