Re: Apache2 er gået amok

[Sune Vuorela <nospam@vuorela.dk>]

On 2006-08-25, Jacob Sparre Andersen <sparre@nbi.dk> wrote:
>> S?rbarheden skyldes debian stable rewrite/proxy moduler=20
>> idet debian stable k?rer med apache 2.0.54-5sarge1 mens=20
>> f?rst 2.0.55 er fixet:
>
> Det lyder s=E6rt.  Er du opm=E6rksom p=E5 at Debian normalt=20
> hellere kopierer rettelser af sikkerhedsfejl tilbage til en=20
> kendt stabil udgave?

Jep. Sikkerhedsrettelser bliver tilbageført til den stabile udgave.
Debian stable skal helst have så få og så små ændringer som muligt.

Fra changeloggen fra apache2 2.0.24-5sarge1:

apache2 (2.0.54-5sarge1) stable-security; urgency=high

  * Non-maintainer upload by The Security Team.
  * Added 047_rewrite_off_by_one_CVE-2006-3747, fixing an off-by-one
    error in mod_rewrite.  [CVE-2006-3747]

 -- Steve Kemp <skx@debian.org>  Fri,  28 Jul 2006 09:50:36 +0000

apache2 (2.0.54-5) stable-security; urgency=high

  * Add 043_ssl_off_by_one_CAN-2005-1268, fixing an off-by-one error in SSL
    certificate validation; see CAN-2005-1268 (closes: #320048, #320063)
  * Add 044_content_length_CAN-2005-2088, resolving an issue in mod_proxy
    where, when a response contains both Transfer-Encoding and Content-Length
    headers, the connection can be used for HTTP request smuggling and HTTP
    request spoofing attacks; see CAN-2005-2088 (closes: #316173)
  * Add 045_byterange_CAN-2005-2728, to resolve a denial of service in apache
    when large byte ranges are requested; see CAN-2005-2728 (closes: #326435)
  * Add 046_verify_client_CAN-2005-2700, resolving an issue where the context
    of the SSLVerifyClient directive is not honoured within a <Location>
    nested in a <VirtualHost>, and is left unenforced; see CAN-2005-2700

 -- Adam Conrad <adconrad@0c3.net>  Fri,  2 Sep 2005 22:26:28 +1000

Læg mærke til at de to CVE'er du skriver om er rettet ved upload af -5.
(se de to første punkter af den changelog)



/Sune