On Thu, Jul 19, 2001 at 10:02:17PM +0100, michael.ryan@storm.ie wrote:
... on the same thread ... are there any known exploits/vulnerabilities for Apache 1.3.12 running on SuSE? (The only issue I found on http://www.suse.com/us/support/security/index.html was dated 07-09-2000 and just required a minor edit to httpd.conf) should I upgrade to 1.3.19 anyway?
TIA Michael
It depends on how you have apache configured. Excerpt of the security related entries in the changelog of apache (the changes in 1.3.20 are not relevant on Linux):
Changes with Apache 1.3.19
*) Under certain circumstances, Apache did not supply the right response headers when requiring authentication. [Gertjan van Wingerde
] PR#7114 Changes with Apache 1.3.18 [not released]
*) SECURITY: The default installation could lead to mod_negotiation and mod_dir/mod_autoindex displaying a directory listing instead of the index.html.* files, if a very long path was created artificially by using many slashes. Now a 403 FORBIDDEN is returned. [Martin Kraemer]
Changes with Apache 1.3.17
*) Normalize the Netware path names to close a potential security hole in comparing paths when the adminstrator specifies both sys:foo and sys:/foo formats in the same httpd.conf file. [Brad Nicholes]
Changes with Apache 1.3.15 [not released]
*) Restore functionality broken by the mod_rewrite security fix: rewrite map lookup keys and default values are now expanded so that the lookup can depend on the requested URI etc. [Tony Finch] PR #6671
Changes with Apache 1.3.13 [not released]
*) Tighten up the syntax checking of Host: headers to fix a security bug in some mass virtual hosting configurations that can allow a remote attacker to retrieve some files on the system that should be inaccessible. [Tony Finch]
*) Fix a security problem that affects some configurations of mod_rewrite. If the result of a RewriteRule is a filename that contains expansion specifiers, especially regexp backreferences $0..$9 and %0..%9, then it may have been possible for an attacker to access any file on the web server. [Tony Finch]
Hope that helps, Peter -- Peter Poeml poeml@suse.de ------------------------------------------------------------------------------- VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day...