), задумался.
1. Ну первые два письма понятно, о безопасности. А о чём третье письмо? Что если при компиляции будут идти какие то ошибки, то мне надо что-то перекомпилировать каким то компилятором особой версии? Надо ли как то реагировать на эти письма?
2. Почему дата писем 2015 и 16 год? У меня по команде date нормальная дата выходит
Код: Выделить всё
date
Ср окт 11 16:03:31 +08 2017
Письма ниже
2015-04-06-apache-addhandler-addtype
Title Apache AddHandler/AddType exploit protection
Author Sebastian Pipping <sping@gentoo.org>
Posted 2015-04-06
Revision 2
Apache's directives AddHandler [1] and AddType [2] can be used
to map certain file name extensions (e.g. .php) to a handler
(e.g. application/x-httpd-php). While a line like
AddHandler application/x-httpd-php .php .php5 .phtml
^^^^^^^
matches index.php, it also matches index.php.png.
With
AddType application/x-httpd-php .php .php5 .phtml
^^^^
index.php.png is not executed, but index.php.disabled still is.
Apache's notes on multiple file extensions [3] document
a multi-language website as a context where that behavior
may be helpful. Unfortunately, it can also be a security threat.
Combined with (not just PHP) applications that support
file upload, the AddHandler/AddType directive can get you into
remote code execution situations.
That is why >=app-eselect/eselect-php-0.7.1-r4 avoids AddHandler
and is shipping
<FilesMatch "\.(php|php5|phtml){:content:}quot;>
SetHandler application/x-httpd-php
</FilesMatch>
instead.
Why this news entry?
* Since Apache configuration lives below /etc,
you need to run etc-update (or a substitute)
to actually have related fixes applied.
To get them into the running instance of Apache,
you need to make it reload its configuration, e.g.
sudo /etc/init.d/apache2 reload
* If you are currently relying on AddHandler to execute
secret_database_stuff.php.inc, moving away from AddHandler
could result in serving your database credentials in plain
text. A command like
find /var/www/ -name '*.php.*' \
-o -name '*.php5.*' \
-o -name '*.phtml.*'
may help discovering PHP files that would no longer be executed.
Shipping automatic protection for this scenario is not trivial,
but you could manually install protection based on this recipe:
<FilesMatch "\.(php|php5|phtml|phps)\.">
# a) Apache 2.2 / Apache 2.4 + mod_access_compat
#Order Deny,Allow
#Deny from all
# b) Apache 2.4 + mod_authz_core
#Require all denied
# c) Apache 2.x + mod_rewrite
#RewriteEngine on
#RewriteRule .* - [R=404,L]
</FilesMatch>
* You may be using AddHandler or AddType in other places,
including off-package files. Please have a look.
* app-eselect/eselect-php is not the only package affected.
There is a dedicated tracker bug at [4].
As of the moment, affected packages include:
app-eselect/eselect-php[apache2]
net-nds/gosa-core
www-apache/mod_fastcgi
www-apache/mod_flvx
www-apache/mod_python
www-apache/mod_suphp
www-apps/moinmoin
www-apps/rt[-lighttpd]
Thanks to Nico Suhl, Michael Orlitzky and Marc Schiffbauer.
[1] https://httpd.apache.org/docs/current/mod/m...html#addhandler
[2] https://httpd.apache.org/docs/current/mod/m...me.html#addtype
[3] https://httpd.apache.org/docs/current/mod/m...tml#multipleext
[4] https://bugs.gentoo.org/show_bug.cgi?id=544560
2015-10-22-gcc-5-new-c++11-abi
Title GCC 5 Defaults to the New C++11 ABI
Author Mike Frysinger <vapier@gentoo.org>
Posted 2015-10-22
Revision 2
GCC 5 uses the new C++ ABI by default. When building new code, you might run
into link time errors that include lines similar to:
...: undefined reference to '_ZNSt6chrono12steady_clock3nowEv@GLIBCXX_3.4.17'
Or you might see linkage failures with "std::__cxx11::string" in the output.
These are signs that you need to rebuild packages using the new C++ ABI.
You can quickly do so by using revdep-rebuild (from gentoolkit).
For gentoolkit-0.3.1 or higher:
# revdep-rebuild --library 'libstdc++.so.6' -- --exclude gcc
For previous versions of gentoolkit:
# revdep-rebuild --library 'libstdc\+\+\.so\.6' -- --exclude gcc
For more details, feel free to peruse:
https://developerblog.redhat.com/2015/02/05...nd-the-c11-abi/
https://blogs.gentoo.org/blueness/2015/03/1...blem-in-gentoo/
2016-01-27-upgrading-to-apache-2_4
Title Upgrading Apache from 2.2 to 2.4
Author Dirkjan Ochtman <djc@gentoo.org>
Posted 2016-01-27
Revision 1
With the 2.4 branch released by upstream almost 4 years ago, stable
Gentoo systems will soon be upgraded from apache 2.2 to apache 2.4.
When upgrading, some configuration changes will have to be made.
Upstream has a handy guide:
https://httpd.apache.org/docs/2.4/upgrading.html
For more information on all the new features, start here:
https://httpd.apache.org/docs/trunk/new_features_2_4.html
After emerging Apache 2.4, you will also need to rebuild any
third-party modules:
emerge -av1 /usr/lib/apache2/modules --exclude=www-servers/apache