[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
From: Craig Andrews <xxxxx [at] xxxxxxxxxxxxxx>
Date: Tue, 18 Jun 2002 11:13:05 +0100
Envelope-to: <shef-lug [at] list.sheflug.org.uk>
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

> overflow, thus prevent arbitary code execution. It might be possible to DOS
> a system like this though. 64-bit systems however can be attacked
> successfully.
> Connectiva may just be playing it safe (or, setting the cat amongst the
> pigeons and panicing everyone... :) ).

I think Connectiva were just saying that at least some part of the 
vulnerability affects their build of Apache, so a DOS vulnerability would fit 
:)

> > Red Hat seem to be quite calm on the matter, saying 'we will release a
> > patch  when we get one'.
>
> Better yet, create one, seeing as fixed versions of the source are
> available

I think the vendor responses were gathered before the fixes were released, 
judging by the wording. To quote Red Hat:

"We are currently investigating the issue and will work on producing errata 
packages when an official fix for the problem is  made  available. "

This indicates that the official fix wasn't available at time of comment.

Still, a fix is available from the Apache crew, so all should be well soon.

Craig
___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

References:
- [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
  - From: Chris J
- Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
  - From: Craig Andrews
- Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
  - From: Chris J

Prev by Date: Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
Next by Date: [Sheflug] power related question
Previous by thread: Re: [Sheflug] [Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability]
Next by thread: [Sheflug] power related question
Index(es):
- Date
- Thread