Welcome to our website
To take full advantage of all features you need to login or register. Registration is completely free and takes only a few seconds.
Apache 2.2.22 for CentOS
Posted by Philipp Esselbach on: 02/02/2012 09:19 AM [ Print | 0 comment(s) ]
CentALT has released Apache 2.2.22 packages for CentOS 5 and 6
Changes with Apache 2.2.22
*) SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [Joe Orton]
*) SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file. [Stefan Fritsch, Greg Ames]
*) SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
[Joe Orton]
*) SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17. PR 52256.
[Rainer Canavan ]
*) SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
*) mod_proxy_ajp: Try to prevent a single long request from marking a worker
in error. [Jean-Frederic Clere]
*) config: Update the default mod_ssl configuration: Disable SSLv2, only
allow >= 128bit ciphers, add commented example for speed optimized cipher
list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]
*) core: Fix segfault in ap_send_interim_response(). PR 52315.
[Stefan Fritsch]
*) mod_log_config: Prevent segfault. PR 50861. [Torsten Fortsch
]
*) mod_win32: Invert logic for env var UTF-8 fixing.
Now we exclude a list of vars which we know for sure they dont hold UTF-8
chars; all other vars will be fixed. This has the benefit that now also
all vars from 3rd-party modules will be fixed. PR 13029 / 34985.
[Guenter Knauf]
*) core: Fix hook sorting for Perl modules, a regression introduced in
2.2.21. PR: 45076. [Torsten Foertsch ]
*) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
A range of '0-' will now return 206 instead of 200. PR 51878.
[Jim Jagielski]
*) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
of "0"). [Rainer Jung]
*) mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung]
*) SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [Joe Orton]
*) SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file. [Stefan Fritsch, Greg Ames]
*) SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
[Joe Orton]
*) SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17. PR 52256.
[Rainer Canavan ]
*) SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
*) mod_proxy_ajp: Try to prevent a single long request from marking a worker
in error. [Jean-Frederic Clere]
*) config: Update the default mod_ssl configuration: Disable SSLv2, only
allow >= 128bit ciphers, add commented example for speed optimized cipher
list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]
*) core: Fix segfault in ap_send_interim_response(). PR 52315.
[Stefan Fritsch]
*) mod_log_config: Prevent segfault. PR 50861. [Torsten Fortsch
]
*) mod_win32: Invert logic for env var UTF-8 fixing.
Now we exclude a list of vars which we know for sure they dont hold UTF-8
chars; all other vars will be fixed. This has the benefit that now also
all vars from 3rd-party modules will be fixed. PR 13029 / 34985.
[Guenter Knauf]
*) core: Fix hook sorting for Perl modules, a regression introduced in
2.2.21. PR: 45076. [Torsten Foertsch ]
*) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
A range of '0-' will now return 206 instead of 200. PR 51878.
[Jim Jagielski]
*) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
of "0"). [Rainer Jung]
*) mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung]
To enable the CentALT Repository:
CentOS 5
For i386:
rpm -ihv http://centos.alt.ru/repository/centos/5/i386/centalt-release-5-3.noarch.rpm
For x86_64:
rpm -ihv http://centos.alt.ru/repository/centos/5/x86_64/centalt-release-5-3.noarch.rpm
CentOS 6
For i386:
rpm -ihv http://centos.alt.ru/repository/centos/6/i386/centalt-release-6-1.noarch.rpm
For x86_64:
rpm -ihv http://centos.alt.ru/repository/centos/6/x86_64/centalt-release-6-1.noarch.rpm
Related Stories
09/14/2011 05:55 PM: Apache 2.2.21 for CentOS 5 by Philipp Esselbach
CentALT has released Apache 2.2.21 packages for CentOS 5...
08/31/2011 01:33 PM: Apache 2.2.20 for CentOS 5 by Philipp Esselbach
CentALT just released Apache 2.2.20 packages (incl. ITK) for CentOS 5...
03/01/2011 09:58 AM: How To Install Apache 2 with SSL on Linux (with mod_ssl, openssl) by Philipp Esselbach
The Geek Stuff posted a tutorial about installing Apache 2 with SSL on Linux...
02/02/2011 07:56 PM: Hosting Multiple SSL Web Sites On One IP Address With Apache 2.2 And GnuTLS (Debian Lenny) by Philipp Esselbach
Howtoforge posted a tutorial about hosting multiple SSL web sites on one IP address with Apache 2.2 and GnuTLS...
01/11/2011 10:23 AM: UNIX / Linux: How to Install and Configure mod_perl for Apache 2 by Philipp Esselbach
The Geek Stuff shows you how to install and configure mod_perl for Apache 2...
12/06/2005 05:52 PM: USN-225-1: Apache 2 vulnerability by Bob
A new Apache 2 vulnerability update is available for Ubuntu Linux. Here the announcement:...
09/07/2005 04:06 AM: USN-177-1: Apache 2 vulnerabilities by Bob
A new Apache 2 vulnerabilities update is available for Ubuntu Linux. Here the announcement:...
08/25/2005 04:58 AM: GLSA 200508-15 Apache 2.0: Denial of Service vulnerability by Bob
A new security update has been released for Gentoo Linux - Apache 2.0: Denial of Service vulnerability. Here the announcement:...
08/04/2005 10:20 AM: USN-160-1: Apache 2 vulnerabilities by Philipp Esselbach
An Apache 2 update has been released for Ubuntu Linux ========================================================== Ubuntu Security Notice USN-160-1 August 04, 2005 apache2 vulnerabilities CAN-2005-...
05/06/2005 04:54 AM: USN-120-1: Apache 2 vulnerability by Philipp Esselbach
Apache 2 security updates have been released for Ubuntu Linux 4.10 and 5.04 ========================================================== Ubuntu Security Notice USN-120-1 May 06, 2005 apache2 vul...
CentALT has released Apache 2.2.21 packages for CentOS 5...
08/31/2011 01:33 PM: Apache 2.2.20 for CentOS 5 by Philipp Esselbach
CentALT just released Apache 2.2.20 packages (incl. ITK) for CentOS 5...
03/01/2011 09:58 AM: How To Install Apache 2 with SSL on Linux (with mod_ssl, openssl) by Philipp Esselbach
The Geek Stuff posted a tutorial about installing Apache 2 with SSL on Linux...
02/02/2011 07:56 PM: Hosting Multiple SSL Web Sites On One IP Address With Apache 2.2 And GnuTLS (Debian Lenny) by Philipp Esselbach
Howtoforge posted a tutorial about hosting multiple SSL web sites on one IP address with Apache 2.2 and GnuTLS...
01/11/2011 10:23 AM: UNIX / Linux: How to Install and Configure mod_perl for Apache 2 by Philipp Esselbach
The Geek Stuff shows you how to install and configure mod_perl for Apache 2...
12/06/2005 05:52 PM: USN-225-1: Apache 2 vulnerability by Bob
A new Apache 2 vulnerability update is available for Ubuntu Linux. Here the announcement:...
09/07/2005 04:06 AM: USN-177-1: Apache 2 vulnerabilities by Bob
A new Apache 2 vulnerabilities update is available for Ubuntu Linux. Here the announcement:...
08/25/2005 04:58 AM: GLSA 200508-15 Apache 2.0: Denial of Service vulnerability by Bob
A new security update has been released for Gentoo Linux - Apache 2.0: Denial of Service vulnerability. Here the announcement:...
08/04/2005 10:20 AM: USN-160-1: Apache 2 vulnerabilities by Philipp Esselbach
An Apache 2 update has been released for Ubuntu Linux ========================================================== Ubuntu Security Notice USN-160-1 August 04, 2005 apache2 vulnerabilities CAN-2005-...
05/06/2005 04:54 AM: USN-120-1: Apache 2 vulnerability by Philipp Esselbach
Apache 2 security updates have been released for Ubuntu Linux 4.10 and 5.04 ========================================================== Ubuntu Security Notice USN-120-1 May 06, 2005 apache2 vul...