Results 1 to 6 of 6

Thread: Important Apache Security Release

  1. #1

    Default Important Apache Security Release

    Apache has announced their latest security release:

    [ANNOUNCEMENT] Apache HTTP Server 2.2.20 Released

    This release patches the recently popularized DoS vulnerability with the way Apache handles byte-range requests. This vulnerability has recently taken to the spotlight, thanks to the "Apache Killer" script released last week. Thanks to this script, not only can any script kiddie mess with your Apache server, they can take down your whole system! I am working on manually patching my servers, but I would also like to see this release in the repositories ASAP. Can anyone point me in the right direction on how to get this done? I don't mind doing work on it myself, but I'm a little lost on who to talk to. I would also like to encourage people to update as soon as they can.

  2. #2

    Default Re: Important Apache Security Release

    By the way, I have submitted a bug for this:

    https://bugzilla.novell.com/show_bug.cgi?id=715372

    If anyone has suggestions for moving this along, I'll be happy to hear them.

  3. #3
    Join Date
    Jun 2008
    Location
    Earth - Denmark
    Posts
    10,730

    Default Re: Important Apache Security Release

    On 08/31/2011 11:06 PM, MatthewEhle wrote:
    > I don't mind doing work on it myself, but I'm a little lost on who to

    talk to.

    openSUSE developers are normally easy to reach on either IRC or mail
    list, see here: http://en.opensuse.org/openSUSE:Communication_channels

    --
    DD
    openSUSE®, the "German Engineered Automobile" of operating systems!

  4. #4
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,246
    Blog Entries
    15

    Default Re: Important Apache Security Release

    Quote Originally Posted by MatthewEhle
    By the way, I have submitted a bug for this:

    https://bugzilla.novell.com/show_bug.cgi?id=715372

    If anyone has suggestions for moving this along, I'll be happy to hear
    them.
    Hi
    CVE-2011-3192 has already been dealt with and fixes have been
    backported (no reason to upgrade). The bug reference is 713966 which
    can't been seen as it's security related.
    https://build.opensuse.org/request/show/80443

    You need to start reviewing the changelogs to verify the backported
    fixes

    --
    Cheers Malcolm °¿° (Linux Counter #276890)
    openSUSE 11.4 (x86_64) Kernel 2.6.37.6-0.7-desktop
    up 1 day 7:03, 5 users, load average: 0.17, 0.11, 0.13
    GPU GeForce 8600 GTS Silent - Driver Version: 280.13


  5. #5

    Default Re: Important Apache Security Release

    I have questions:

    * When will this be available and distributed in the updates ?
    * (a general question) How can users compile the original source ( http://apache.copahost.com//httpd/httpd-2.2.20.tar.gz ) so that this fits to the installed version (e.g. on the OpenSuse 11.4 custimization and packages) ?

  6. #6
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Important Apache Security Release

    A1: It's already released. E.g. on a 11.3 system:

    Code:
    Name        : apache2                      Relocations: (not relocatable)
    Version     : 2.2.15                            Vendor: openSUSE
    Release     : 4.5.1                         Build Date: Thu 01 Sep 2011 10:19:11 AM EST
    Install Date: Sat 03 Sep 2011 03:07:37 AM EST      Build Host: build18
    Group       : Productivity/Networking/Web/Servers   Source RPM: apache2-2.2.15-4.5.1.src.rpm
    Size        : 2224528                          License: ASLv..
    Signature   : RSA/8, Thu 01 Sep 2011 10:20:20 AM EST, Key ID b88b2fd43dbdc284
    Packager    : openSUSE:Submitting bug reports - openSUSE
    URL         : Welcome! - The Apache HTTP Server Project
    Summary     : The Apache Web Server Version 2.2
    Description :
    Apache 2, the successor to Apache 1.
    A2: Not sure what you mean by Q2. Generally users never have to build their own for important security updates. Even though the openSUSE package shows 2.2.15, rest assured that the fixes have been backported.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •