ПРОЕКТЫ 


  АРХИВ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  СТАТЬИ 


  ПЕРСОНАЛЬНОЕ 


  ПРОГРАММЫ 



ПИШИТЕ
ПИСЬМА














     АРХИВ :: Apache-Talk
Apache-Talk mailing list archive (apache-talk@lists.lexa.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [apache-talk] upgrade to 1.3.22 ?



On Wed, 24 Oct 2001, Dmitry Alyabyev wrote:

> Вот случайно наткнулся ... самое интересное что об этом вроде никто
> громко не говорил ... или это я почту почту после отпуска невнимательно читал 
>:-)

А чего о них громко кричать ? Скажем, для меня ни один из этих
пунктов не предстваляет интереса.

> >                     Apache 1.3.20 - 1.3.22 Major changes
> >  
> >   Security vulnerabilities
> >  
> >      * A vulnerability was found in the Win32 port of Apache 1.3.20.  A
> >        client submitting a very long URI could cause a directory listing
> >        to be returned rather than the default index page. A 403 Forbidden
> >        will now be returned.  CAN-2001-0729

Win32 порт не интересует.

> >      * A vulnerability was found in the split-logfile support program. A
> >        request with a specially crafted Host: header could allow any file
> >        with a .log extension on the system to be written to. PR#7848
> >        CAN-2001-0730

split-logfile никогда не пользовал.

> >      * A vulnerability was found when Multiviews are used to negotiate
> >        the directory index. In some configurations, requesting a URI with
> >        a QUERY_STRING of M=D could return a directory listing rather than
> >        the expected index page.  CAN-2001-0731

Mutliviews в России малоиспользуемая вещь.

> >      The security issues above have been assigned standardized names, CAN-
> >      by the Common Vulnerabilities and Exposures project (cve.mitre.org)

Для меня, например, больший интерес представляет bugfix:

Under certain circumstances a child may crash due to a bug in mod_include.
If a server uses an ErrorDocument for 404 (request not found) errors
which points to a server-parsed HTML file which uses a
<!--#include virtual="file" --> section, then a request containing
%2f will result in a segfault. The segfault is harmless and does not
cause a security problem, but is being triggered by the recent IIS worm 

А вообще, читайте apacheweek.com и вам будет щастье.

Игорь Сысоев

=============================================================================
=               Apache-Talk@lists.lexa.ru mailing list                      =
Mail "unsubscribe apache-talk" to majordomo@lists.lexa.ru if you want to quit.
=       Archive avaliable at http://www.lexa.ru/apache-talk                 =



 




Copyright © Lexa Software, 1996-2009.