Russian Apache mailing list archive (apache-rus@lists.lexa.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [apache-talk] upgrade to 1.3.22 ?

To: apache-talk@xxxxxxxxxxxxx
Subject: Re: [apache-talk] upgrade to 1.3.22 ?
From: Igor Sysoev <is@xxxxxxxxxxxxx>
Date: Wed, 24 Oct 2001 12:38:57 +0400 (MSD)
In-reply-to: <138662653879.20011024104502@xxxxxxxxx>

On Wed, 24 Oct 2001, Dmitry Alyabyev wrote:

> Вот случайно наткнулся ... самое интересное что об этом вроде никто
> громко не говорил ... или это я почту почту после отпуска невнимательно читал :-)

А чего о них громко кричать ? Скажем, для меня ни один из этих
пунктов не предстваляет интереса.

> >                     Apache 1.3.20 - 1.3.22 Major changes
> >  
> >   Security vulnerabilities
> >  
> >      * A vulnerability was found in the Win32 port of Apache 1.3.20.  A
> >        client submitting a very long URI could cause a directory listing
> >        to be returned rather than the default index page. A 403 Forbidden
> >        will now be returned.  CAN-2001-0729

Win32 порт не интересует.

> >      * A vulnerability was found in the split-logfile support program. A
> >        request with a specially crafted Host: header could allow any file
> >        with a .log extension on the system to be written to. PR#7848
> >        CAN-2001-0730

split-logfile никогда не пользовал.

> >      * A vulnerability was found when Multiviews are used to negotiate
> >        the directory index. In some configurations, requesting a URI with
> >        a QUERY_STRING of M=D could return a directory listing rather than
> >        the expected index page.  CAN-2001-0731

Mutliviews в России малоиспользуемая вещь.

> >      The security issues above have been assigned standardized names, CAN-
> >      by the Common Vulnerabilities and Exposures project (cve.mitre.org)

Для меня, например, больший интерес представляет bugfix:

Under certain circumstances a child may crash due to a bug in mod_include.
If a server uses an ErrorDocument for 404 (request not found) errors
which points to a server-parsed HTML file which uses a
 section, then a request containing
%2f will result in a segfault. The segfault is harmless and does not
cause a security problem, but is being triggered by the recent IIS worm

А вообще, читайте apacheweek.com и вам будет щастье.

Игорь Сысоев

=============================================================================
=               Apache-Talk@xxxxxxxxxxxxx mailing list                      =
Mail "unsubscribe apache-talk" to majordomo@xxxxxxxxxxxxx if you want to quit.
=       Archive avaliable at http://www.lexa.ru/apache-talk                 =

References:
- [apache-talk] upgrade to 1.3.22 ?
  - From: Dmitry Alyabyev

Prev by Date: [apache-talk] upgrade to 1.3.22 ?
Next by Date: [apache-talk] Authorization Required - ?
Previous by thread: [apache-talk] upgrade to 1.3.22 ?
Next by thread: [apache-talk] Authorization Required - ?
Index(es):
- Date
- Thread

Спонсоры сайта:

[ Russian Apache ] [ Как это работает ] [ Рекомендации ] [ Где взять ] [ Как установить ] [ Как настроить ] [ Статус и поддержка ] [ Краткий обзор ] [ FAQ ] [ Список рассылки ] [ Благодарности ] [ Поиск по серверу ] [ Powered by Russian Apache ] [ Apache-talk archive ]

"Russian Apache" includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/) See Apache LICENSE. Copyright (C) 1995-2001 The Apache Group. All rights reserved. Copyright (C) 1996 Dm. Kryukov; Copyright (C) 1997-2009 Alex Tutubalin. Design (C) 1998 Max Smolev.