Marcus, Thanks for clarifying it for me. Have a great day, Jeff Marcus Meissner said the following on 6/3/08 2:17 AM:
On Mon, Jun 02, 2008 at 02:47:08PM -0400, Jeff VanDeRyt wrote:
Hi, I have a question about the security updates for Apache 2 which are detailed in SUSE-SA:2008:021, and how it relates to SLES 9 and OES on SLES9.
The Security Announcement lists 7 CVE numbers and includes links to updates for updates to Apache and Apache 2 on SLES9 (http://support.novell.com/techcenter/psdb/484f33da03a9e3e4632f40254c4a96a3.h... and http://support.novell.com/techcenter/psdb/2c87b234552522821a81df2a63d03f8c.h...). However, these pages do not list all 7 CVE numbers as being addressed. Specifically the Apache 2 page does not include CVE-2007-6421 and CVE-2007-6422 (both listed as affecting Apache 2 only).
Does this mean Apache 2 on SLES 9 is not affected by CVE-2007-6421 and CVE-2007-6422?
Hi,
CVE-2007-6421 and CVE-2007-6422 only affects the Apache 2.2 series, while SLES 9 has Apache 2.0.59.
See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6421 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6422
(mod_proxy_balancer is new in Apache2 2.2.)
Tangentially related, what about CVE-2007-6420 and 2007-6423? They are included in original SecruityAlert from SecurityReason (http://securityreason.com/securityalert/48) which included CVE-2007-6421 and CVE-2007-6422.
CVE-2007-6420 has not been fixed by upstream at the time of this update, we reminded them of it however.
CVE-2007-6423 only affects Apache on Windows (see original report and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6423 ).
Ciao, Marcus
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org