Thanks Peter. Just one more question: Do the patches for earlier versions (SuSE 7.x) also use the Apache 1.3.26 patch? Or Apache's back-porting of the fix? Or did SuSE have to backport the fix independently? Sorry to be a pain about this. My nervousness stems from the Apache team's comments indicating that backporting is complex and very risky. I just want to understand the risks I am taking. -----Original Message----- From: Peter Poeml [mailto:poeml@suse.de] Sent: Tuesday, June 25, 2002 9:13 AM To: Alan Rouse Subject: Re: RE: RE: [suse-security] Fwd: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known Hi Alan, On Tue, Jun 25, 2002 at 09:08:20AM -0400, Alan Rouse wrote:

If I missed some information I apologize. All I saw from SuSE was the announcement found here:

http://lists2.suse.com/archive/suse-security-announce/2002-Jun/0003.html

According to that announcement, "On 32bit architectures, this overflow cannot be exploited to inject code into the httpd process and gain access to the machine".

Despite the condescending replies I've received from some on this

list,

I think my question is reasonable. I simply would like to hear from SuSE whether or not you believe this patch addresses the remote access threat which was disclosed after your patch was released.

Ah, I see the point that you are asking about. Sure this is a fair request. There is some confusion about a patch released by the ISS. That patch was premature and not sufficient. The patch that Olaf added is one pulled from the cvs of the apache group and approved by them. The message of the second announcement of the apache group basically is "don't use the premature patch but ours". I hope it's clearer now. Don't hesitate to bug us further. Best wishes, Peter -- VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day...