Please take care of this issue. This seems to affect the version in sid as well. Please mention the CAN from in the changelog when you prepare an update.
Mark J Cox wrote: > A number of users have reported that after upgrading to 2.0.51 their > password protected pages have been served without requiring > authentication. This is due to a change made between 2.0.50 and 2.0.51 > which broke the merging of the Satisfy directive. This affects any > installation using the "Satisfy" directive, and is CAN-2004-0811. > > If you have issued 2.0.51 updates using the official Apache 2.0.51 tarball > you are vulnerable to this issue and should apply the patch for > CAN-2004-0811 below. The ASF is looking at producing a 2.0.52 within the > next day or two that includes this fix. > > If you used the patches we supplied for the last security fixes and did a > backported update then this issue will not affect you. > > http://www.apache.org/dist/httpd/patches/apply_to_2.0.51/CAN-2004-0811.patch > > This issue is public. > > NISCC, please can you forward this message on to the list of folks you > notify about Apache issues. > > Thanks, Mark > -- > Mark J Cox / Red Hat Security Response Team Regards, Joey -- Unix is user friendly ... It's just picky about its friends. Please always Cc to me when replying to me on the lists.
