Bug 714182
Summary: | apache-2.2.17 vulnerable to local DoS | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dave <dwreski> |
Component: | httpd | Assignee: | Joe Orton <jorton> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 14 | CC: | jorton, pahan, thoger, tom.setliff |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-11-10 01:30:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dave
2011-06-17 14:49:18 UTC
What is the status of this? f15 appears to use the same version of apache, so not sure what's going on. Is there a more appropriate place to investigate this? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0419 is being a pain, an update for Fedora would be greatly appreciated. This is related to if not a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0419 but that issue seems to only be addressed in RHEL. At least one security company (Security Metrics) considers 2.2.17 by itself enough of an issue to fail customers, even if updating other packages solves the issue. Correction, our security company says we need > 2.2.18, so I guess only 2.2.9 would pass. CVE-2011-0419 (and related CVE-2011-1928) affected apr library used by httpd. While httpd source embed copy of the apr library sources, Fedora httpd packages do not use embedded apr and link against system apr package. apr update fixing this flaw was pushed to stable before this bug was created: https://admin.fedoraproject.org/updates/apr-1.4.5-1.fc14 http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061177.html Does anyone disagree with closing this notabug? I agree; closing out. |