25 May 2012 09:05
Re: LD_LIBRARY_PATH issue in 2.2.22 and earlier
Hendrik Schmieder <hendrik.schmieder <at> jedox.com>
2012-05-25 07:05:20 GMT
2012-05-25 07:05:20 GMT
John Iliffe schrieb: > On Thursday 24 May 2012 13:05:10 Luke Lozier wrote: >> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due >> to the issues described in this CVE: Changes with Apache 2.2.23 >> >> *) SECURITY: CVE-2012-0883 (cve.mitre.org) >> envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead >> to the current working directory to be searched for DSOs. [Stefan >> Fritsch] Is there any idea when 2.2.23 will be released? I'd rather not >> upgrade to 2.4.2 > I got caught the same way in March (re PCI scanning). Guess my guy is more > up to date than yours! > > There should be no reason that I found not to update to 2.4.2 BUT BE > CAREFUL OF THE CONFIG FILE CHANGES! For example the "order deny allow" > format directives no longer work in 2.4.*. There are a few other changes. > > Also, do not be tempted to update to PHP 5.4.0 as it will cause segfaults > in all the child processes for reasons that escape me completely. Use a > 5.3.x version. This may be my problem but someone on this list was able to > confirm the issue and said that it is a PHP issue. It may be resolved by > now. > That's a little bit unclear. In their release announcement they said it is fixed "Fixed bug #61172 (Add Apache 2.4 support)." <http://www.php.net/archive/2012.php#id2012-04-26-1> But in the changelog #61172 is only listed for 5.3.11, but not for 5.4.1. Hendrik
RSS Feed