|
Home > Archive > WebSphere HTTP Server > December 2004 > CERT Advisories resolved in Apache 1.3.31 fixed in IHS 1.3.28.1?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
CERT Advisories resolved in Apache 1.3.31 fixed in IHS 1.3.28.1?
|
|
| Robert Jusitce 2004-07-28, 6:26 pm |
| There are numerous CERT advisories fixed by Apache 1.3.31 listed at:
http://httpd.apache.org/
Are these fixed or do they even affect IHS 1.3.28.1:
This version of Apache is principally a security and bug fix release. Of
particular note is that 1.3.31 addresses and fixes the following 4 security
related issues:
In mod_digest, verify whether the nonce returned in the client response is
one we issued ourselves. This problem does not affect mod_auth_digest.
[CAN-2003-0987 (cve.mitre.org)]
Escape arbitrary data before writing into the errorlog.
[CAN-2003-0020 (cve.mitre.org)]
Fix starvation issue on listening sockets where a short-lived connection on
a rarely-accessed listening socket will cause a child to hold the accept
mutex and block out new connections until another connection arrives on that
rarely-accessed listening socket.
[CAN-2004-0174 (cve.mitre.org)]
Fix parsing of Allow/Deny rules using IP addresses without a netmask; issue
is only known to affect big-endian 64-bit platforms
[CAN-2003-0993 (cve.mitre.org)]
Thanks,
Robert Justice
| |
| Donald Woods 2004-12-15, 9:51 pm |
| Has anyone received an answer on this yet?
We have a government customer who has been told to upgrade to at least
Apache v1.3.33 or 2.0.52 by Dec. 20th.
-Donald Woods
drwoods@nospam@us.ibm.com
IBM WebSphere Everyplace Access
"Robert Jusitce" <rjustice@us.ibm.com> wrote in message
news:ce974h$9ccc$1@news.boulder.ibm.com...
> There are numerous CERT advisories fixed by Apache 1.3.31 listed at:
>
> http://httpd.apache.org/
>
> Are these fixed or do they even affect IHS 1.3.28.1:
>
> This version of Apache is principally a security and bug fix release. Of
> particular note is that 1.3.31 addresses and fixes the following 4
> security
> related issues:
>
> In mod_digest, verify whether the nonce returned in the client response is
> one we issued ourselves. This problem does not affect mod_auth_digest.
> [CAN-2003-0987 (cve.mitre.org)]
>
> Escape arbitrary data before writing into the errorlog.
> [CAN-2003-0020 (cve.mitre.org)]
>
> Fix starvation issue on listening sockets where a short-lived connection
> on
> a rarely-accessed listening socket will cause a child to hold the accept
> mutex and block out new connections until another connection arrives on
> that
> rarely-accessed listening socket.
> [CAN-2004-0174 (cve.mitre.org)]
>
> Fix parsing of Allow/Deny rules using IP addresses without a netmask;
> issue
> is only known to affect big-endian 64-bit platforms
> [CAN-2003-0993 (cve.mitre.org)]
>
> Thanks,
>
> Robert Justice
>
>
|
|
|
|
|