DESCRIPTION There are two vulnerabilities in the Apache web
server as shipped with Conectiva Linux.
1) Under certain configurations, the mod_rewrite module could be
used to access any file on the server, provided that filesystem
access rights permitted that. Now the mod_rewrite module makes a
one-pass expansion and is no longer vulnerable to this.
2) The other vulnerability is regarding the handling of Host:
headers in mass virtual hosting configurations. The check for dot
(".") charactes in that header was not complete and could permit
access to a parent directory.
SOLUTION It is recommended that users using mod_rewrite or with
virtual hosting update their servers. Users of Conectiva Linux 4.1
and 4.2 will also find apache-1.3.12 on the FTP site. That package
should be used for those who upgraded to 1.3.12 because of the
IMP/HORDE advisory a while ago.
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.