Re: Apache2 er gået amok
On 2006-08-25, Jacob Sparre Andersen <sparre@nbi.dk> wrote:
>> S?rbarheden skyldes debian stable rewrite/proxy moduler=20
>> idet debian stable k?rer med apache 2.0.54-5sarge1 mens=20
>> f?rst 2.0.55 er fixet:
>
> Det lyder s=E6rt. Er du opm=E6rksom p=E5 at Debian normalt=20
> hellere kopierer rettelser af sikkerhedsfejl tilbage til en=20
> kendt stabil udgave?
Jep. Sikkerhedsrettelser bliver tilbageført til den stabile udgave.
Debian stable skal helst have så få og så små ændringer som muligt.
Fra changeloggen fra apache2 2.0.24-5sarge1:
apache2 (2.0.54-5sarge1) stable-security; urgency=high
* Non-maintainer upload by The Security Team.
* Added 047_rewrite_off_by_one_CVE-2006-3747, fixing an off-by-one
error in mod_rewrite. [CVE-2006-3747]
-- Steve Kemp <skx@debian.org> Fri, 28 Jul 2006 09:50:36 +0000
apache2 (2.0.54-5) stable-security; urgency=high
* Add 043_ssl_off_by_one_CAN-2005-1268, fixing an off-by-one error in SSL
certificate validation; see CAN-2005-1268 (closes: #320048, #320063)
* Add 044_content_length_CAN-2005-2088, resolving an issue in mod_proxy
where, when a response contains both Transfer-Encoding and Content-Length
headers, the connection can be used for HTTP request smuggling and HTTP
request spoofing attacks; see CAN-2005-2088 (closes: #316173)
* Add 045_byterange_CAN-2005-2728, to resolve a denial of service in apache
when large byte ranges are requested; see CAN-2005-2728 (closes: #326435)
* Add 046_verify_client_CAN-2005-2700, resolving an issue where the context
of the SSLVerifyClient directive is not honoured within a <Location>
nested in a <VirtualHost>, and is left unenforced; see CAN-2005-2700
-- Adam Conrad <adconrad@0c3.net> Fri, 2 Sep 2005 22:26:28 +1000
Læg mærke til at de to CVE'er du skriver om er rettet ved upload af -5.
(se de to første punkter af den changelog)
/Sune
Reply to: