Fixed version of Apache 1.3 available (fwd)

ME dugan at passwall.com
Tue Jun 18 17:04:24 PDT 2002


(I lied, here is one follow-up to this)

FYI, new version of apache released in source form. If you "use the source
(luke)" copies are available. If you use the prepackaged ones, you should
check your vendor often for new updates as they will likely be expected
"soon".

http://www.apache.org/ (main site) 
http://www.apache.org/dyn/closer.cgi (download from a mirror)
http://www.apache.org/dist/ (download from the original site)

Latest for openssl is from May 16th (0.9.6d stable)
http://www.openssl.org/
Latest modssl is still for apache 1.3.24
   (nothing yet for the present release of apache)

Latest mod_dav is 1.0.3-1.3.6 from 05-Nov-2001
http://www.webdav.org/mod_dav/

Latest mod_perl is 1.27 (Jun 5, 2002)
http://perl.apache.org/#download

I would expect mod_dav and mod_perl to work just fine when compiled
against the new apache tree, but mod_ssl does some internal version
checking with apache and applies some diff patches before apache is
compiled. The default is to complain and not apply all patches. Certainly,
you can try to modify the contents of pkg.sslmod/libssl.version to 1.3.26
and deal with the patches on your own to make sure it all works, but there
is a lot of work tracking each patch down and doing it all manually.

No news yet on mod_ssl but the question have been raised asking about its
next release for working with apache_1.3.26

If someone else does not post that here, perhaps I'll pass notice. If
anyone else notices the new mod_ssl version before me, I think there are
at least 4 others on this list who would want to know about it.

-ME

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ !PGP
t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html

---------- Forwarded message ----------
Date: Tue, 18 Jun 2002 16:26:38 -0600 (MDT)
From: Dave Ahmad <da at securityfocus.com>
To: bugtraq at securityfocus.com
Subject: Fixed version of Apache 1.3 available


Hey all,

Jay Dyson reported earlier that Apache httpd 2.0.39 was available for
download.  Version 1.3.26 is now available:

http://httpd.apache.org/dist

See also:

http://www.apache.org/dist/httpd/Announcement.html

On Tue, 18 Jun 2002, Jay D. Dyson wrote:

> >    The Apache Software Foundation has released two new versions of Apache
> >    that correct this vulnerability. System administrators can prevent the
> >    vulnerability  from  being  exploited  by  upgrading to Apache version
> >    1.3.25  or  2.0.39.
>
>       I've just visited http://httpd.apache.org/ for the upgrade on
> Apache and noted that v2.0.39 is available[*], but v1.3.25 is nowhere to
> be found.  Is anyone in the know on an ETA for Apache v1.3.25?
>
> - -Jay

Dave Ahmad
SecurityFocus
www.securityfocus.com






More information about the talk mailing list