On Wed, 24 Oct 2001, Dmitry Alyabyev wrote:
> Вот случайно наткнулся ... самое интересное что об этом вроде никто
> громко не говорил ... или это я почту почту после отпуска невнимательно читал :-)
А чего о них громко кричать ? Скажем, для меня ни один из этих
пунктов не предстваляет интереса.
> > Apache 1.3.20 - 1.3.22 Major changes
> >
> > Security vulnerabilities
> >
> > * A vulnerability was found in the Win32 port of Apache 1.3.20. A
> > client submitting a very long URI could cause a directory listing
> > to be returned rather than the default index page. A 403 Forbidden
> > will now be returned. CAN-2001-0729
Win32 порт не интересует.
> > * A vulnerability was found in the split-logfile support program. A
> > request with a specially crafted Host: header could allow any file
> > with a .log extension on the system to be written to. PR#7848
> > CAN-2001-0730
split-logfile никогда не пользовал.
> > * A vulnerability was found when Multiviews are used to negotiate
> > the directory index. In some configurations, requesting a URI with
> > a QUERY_STRING of M=D could return a directory listing rather than
> > the expected index page. CAN-2001-0731
Mutliviews в России малоиспользуемая вещь.
> > The security issues above have been assigned standardized names, CAN-
> > by the Common Vulnerabilities and Exposures project (cve.mitre.org)
Для меня, например, больший интерес представляет bugfix:
Under certain circumstances a child may crash due to a bug in mod_include.
If a server uses an ErrorDocument for 404 (request not found) errors
which points to a server-parsed HTML file which uses a
<!--#include virtual="file" --> section, then a request containing
%2f will result in a segfault. The segfault is harmless and does not
cause a security problem, but is being triggered by the recent IIS worm
А вообще, читайте apacheweek.com и вам будет щастье.
Игорь Сысоев
=============================================================================
= Apache-Talk@xxxxxxxxxxxxx mailing list =
Mail "unsubscribe apache-talk" to majordomo@xxxxxxxxxxxxx if you want to quit.
= Archive avaliable at http://www.lexa.ru/apache-talk =
"Russian Apache" includes software developed
by the Apache Group for use in the Apache HTTP server project
(http://www.apache.org/) See
Apache LICENSE.
Copyright (C) 1995-2001 The Apache Group. All rights reserved.
Copyright (C) 1996 Dm. Kryukov; Copyright (C)
1997-2009 Alex Tutubalin. Design (C) 1998 Max Smolev.