[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]

To: <shef-lug [at] xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
From: "Chris J" <xxxxx [at] xxxxxxxxxxxxxxxx>
Date: Tue, 18 Jun 2002 10:47:49 +0100 (BST)
Envelope-to: <shef-lug [at] list.sheflug.org.uk>
Importance: Normal
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx


And Lo! The Great Prophet " Craig Andrews" uttered these words of wisdom...
> To quote the article below:
>
> Conectiva Linux
>
>    "The  Apache  webserver  shipped  with Conectiva Linux is vulnerable
> to    this  problem.  New  packages fixing this problem will be announced
> to    our mailing list after an official fix becomes available."
>
> So if this distro's build is vulnerable, what about the others??

Good question, hadn't read all the affected systems bit ... just the bits
that mattered to me :) If you read the Apache bulletin though, it says that
on 32-bit systems, the child process being attacked should die with a stack
overflow, thus prevent arbitary code execution. It might be possible to DOS
a system like this though. 64-bit systems however can be attacked
successfully.
Connectiva may just be playing it safe (or, setting the cat amongst the
pigeons and panicing everyone... :) ).
>
> Red Hat seem to be quite calm on the matter, saying 'we will release a
> patch  when we get one'.
>

Better yet, create one, seeing as fixed versions of the source are available
(yet more quotes from CERT):
>    The Apache Software Foundation has released two new versions of
>    Apache that correct this vulnerability. System administrators can
>    prevent the vulnerability  from  being  exploited  by  upgrading to
>    Apache version 1.3.25  or  2.0.39.

Chris...

-- 
\ Chris Johnson                 \
 \ cej [at] nightwolf.org.uk          \
  \ http://cej.nightwolf.org.uk/  ~-----------------------------------+
   \ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____



___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

Follow-Ups:
- Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
  - From: Craig Andrews

References:
- [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
  - From: Chris J
- Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
  - From: Craig Andrews

Prev by Date: Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
Next by Date: Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
Previous by thread: Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
Next by thread: Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
Index(es):
- Date
- Thread