2010年10月20日

[installer 2551] Re: apache-2.2.17, 2.0.64

(Wed, 20 Oct 2010 08:59:51 +0900 (JST))
Koga Youichirou <y-koga@xxxxx>:
> apache-2.2.17, 2.0.64 出ています。
>
> 2.0.64 は複数のセキュリティホールの修正が含まれています。
> http://www.apache.org/dist/httpd/Announcement2.0.html
> 参照のこと。

2.2.17 も APR-util 絡みのセキュリティホール修正が含まれていました。
http://www.apache.org/dist/httpd/Announcement2.2.html
参照のこと… だと消えちゃいそうなので、両バージョンとも引用して
おきます。

http://www.apache.org/dist/httpd/Announcement2.0.html より:
BEGIN-----------------------------------------------------
Apache HTTP Server 2.0.64 Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.0.64 of the Apache HTTP
Server ("Apache"). This version of Apache is a bug and security fix
release, covering a number of issues addressed previously in stable
released versions;

o CVE-2010-1452: mod_dav: Fix Handling of requests without a path
segment.
o CVE-2009-1891: Fix a potential Denial-of-Service attack against
mod_deflate or other modules, by forcing the server to consume CPU
time in compressing a large file after a client disconnects.
o CVE-2009-3095: mod_proxy_ftp: sanity check authn credentials.
o CVE-2009-3094: mod_proxy_ftp: NULL pointer dereference on error paths.
o CVE-2009-3555: mod_ssl: Comprehensive fix of the TLS renegotiation
prefix injection attack when compiled against OpenSSL version 0.9.8m
or later. Introduces the 'SSLInsecureRenegotiation' directive to
reopen this vulnerability and offer unsafe legacy renegotiation with
clients which do not yet support the new secure renegotiation
protocol, RFC 5746.

mod_ssl: A partial fix for the TLS renegotiation prefix injection
attack for OpenSSL versions prior to 0.9.8l; reject any
client-initiated renegotiations. Forcibly disable keepalive for the
connection if there is any buffered data readable. Any configuration
which requires renegotiation for per-directory/location access
control is still vulnerable, unless using openssl 0.9.8l or later.

o CVE-2010-0434: Ensure each subrequest has a shallow copy of
headers_in so that the parent request headers are not
corrupted. Elimiates a problematic optimization in the case of no
request body.
o CVE-2008-2364: mod_proxy_http: Better handling of excessive interim
responses from origin server to prevent potential denial of service
and high memory usage.
o CVE-2010-0425: mod_isapi: Do not unload an isapi .dll module until
the request processing is completed, avoiding orphaned callback
pointers.
o CVE-2008-2939: mod_proxy_ftp: Prevent XSS attacks when using
wildcards in the path of the FTP URL.

and includes security fixes of the APR and APR-util 0.9.19 dependencies;

o CVE-2010-1623: Fix a denial of service attack against
apr_brigade_split_line().
o CVE-2009-3560, CVE-2009-3720: Fix two buffer over-read flaws in the
bundled copy of expat which could cause applications to crash while
parsing specially-crafted XML documents.
o CVE-2009-2412: Fix overflow in rmm, where size alignment was taking
place.

END-------------------------------------------------------


http://www.apache.org/dist/httpd/Announcement2.2.html より:
BEGIN-----------------------------------------------------
Apache HTTP Server 2.2.17 Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.17 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a bug fix
release, and a security fix release of the APR-util 1.3.10 dependency;

o CVE-2010-1623: Fix a denial of service attack against
apr_brigade_split_line().
o CVE-2009-3560, CVE-2009-3720: Fix two buffer over-read flaws in the
bundled copy of expat which could cause applications to crash while
parsing specially-crafted XML documents.

We consider this release to be the best version of Apache available,
and encourage users of all prior versions to upgrade.
END-------------------------------------------------------

> ☆ apache-2.2.17
> http://httpd.apache.org/
> http://www.apache.org/dist/httpd/httpd-2.2.17.tar.gz
>
> Changes with Apache 2.2.17
>
> *) prefork MPM: Run cleanups for final request when process exits gracefully
> to work around a flaw in apr-util. PR 43857. [Tom Donovan]
>
> *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
> connections and other protocol handlers (like mod_ftp). Enforce the
> timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
> close time from 30 to 2 seconds. [Stefan Fritsch]
>
> *) Proxy balancer: support setting error status according to HTTP response
> code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
>
> *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
> password to UTF-8. PR 45318.

投稿者 xml-rpc : 2010年10月20日 19:01
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/99282
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。