SECURITY: vulnerabilities update

[Yaakov (Cygwin Ports)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package maintainers,

Thank you to those who have updated your packages for the last batch of
security vulnerabilities.  There are two newly announced
vulnerabilities, including one orphaned package which needs some help:

By maintainer
=============

ORPAHNED: apache2
Lapo Luchini: lighttpd
Charles Wilson: tiff, unzip

By package
==========

apache2  *** ORPHANED ***
problem: multiple vulnerabilities (CVE-2007-6420, CVE-2008-1672/2364,
CVE-2008-2939)
solution: bump to 2.2.9 AND add this patch:
http://svn.apache.org/viewvc?view=rev&revision=682870
info: http://www.gentoo.org/security/en/glsa/glsa-200807-06.xml
(Those wishing to take this over may find this helpful:
http://cygwin-ports.svn.sourceforge.net/viewvc/cygwin-ports/ports/trunk/www/apache2/
BUT the recent patch is not included in SVN yet.)

lighttpd
problem: multiple vulnerabilities (CVE-2008-1270/1531)
solution: bump to 1.4.19 AND apply these patches:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.19-r2/
info: http://www.gentoo.org/security/en/glsa/glsa-200804-08.xml

tiff
problem: multiple buffer underflows (CVE-2008-2327)
solution: apply this patch
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/media-libs/tiff/files/tiff-3.8.2-CVE-2008-2327.patch
info: http://www.gentoo.org/security/en/glsa/glsa-200809-07.xml

unzip
problem: execution of arbitrary code (CVE-2008-0888)
solution: apply this patch
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/app-arch/unzip/files/unzip-5.52-CVE-2008-0888.patch
info: http://www.gentoo.org/security/en/glsa/glsa-200804-06.xml


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkjF5QsACgkQpiWmPGlmQSOWsACg9W6+8M9uKTzY0nuXzjEha3uc
vgEAoLXI22Eq40MM8C70ltPhRCvTBG7L
=QP0I
-----END PGP SIGNATURE-----