Apache patches on Solaris 10

This is a blog posting with a bit of self-interest attached. The self interest being to try to save myself some unnecessary support call handling.

You may have seen the Sun Security blog addressing the CVE-2010-1452 mod_dav Vulnerability in Apache 2.0.x HTTP Server issue.

The patches that this blog points to mention in the README

        6972023 upgrade httpd to 2.2.16 (CVE-2010-1452, CVE-2010-2068)

This bug synopsis is misleading. The patch does not actually upgrade httpd to 2.2.16. What it does is to backport the fixes for the CVEs mentioned. The patch README should be shortly updated to make this clearer.

Now, that being said you may also note after installation that it still identifies as Apache 2.0.63 and you may have concerns about vulnerabilities addressed in 2.0.64 mentioned on the Apache web site.

The way that we maintain Apache on Solaris 10 is not to drop in new releases as they happen, rather we take the fixes mentioned and backport them to our 2.0.63 codebase.

Inside the patch are two files called README.sfw.

        usr/share/src/apache2/README.sfw
        usr/share/src/apache2/modperl/README.sfw

If you have the Apache source product installed these files will be installed/updated on your system. If you do not, the files will still be present in the actual patch and you can find them under one of the reloc directories. At the end of these files we document which fixes have been backported.

Please consult these files before logging support calls asking questions of the form “Is your version of Apache is vulnerable to …?”

About these ads

Written by Alan

February 21, 2011 at 7:04 pm

Posted in Security, Solaris, Work