RE: [suse-security] SuSE Apache patch sufficient?
So either they are bluffing or the eploit does exist. I prefer not to assume the former. And I don't exactly consider these folks a trusted third party.
you're right - this also confused me. I guess they are bluffing... So I tried it against different systems and it did'nt work.
The comments imply that there is a different exploit for each OS (different "peculiarity" in each one makes it possible) and they only released the one for OpenBSD. Even Apache seems to have believed that it was not exploitable on 32 bit *nix. They are recommending upgrading to 1.3.26, which they say corrects the "core" problem. Hopefully they are right. Since the Linux exploit has not been published it's hard to know whether this fixes the problem... but if it is sufficient against the published OpenBSD exploit then I guess we have to go with that. However, I'm patching SuSE 7.0, 7.1, and 7.2. I guess I'm not going to get exactly 1.3.26 from SuSE for these. So I'd really like some sort of statement from SuSE indicating whether or not the potential remote root issue on my system will be addressed by their patch.
On Jun 20, Alan Rouse
However, I'm patching SuSE 7.0, 7.1, and 7.2. I guess I'm not going to get exactly 1.3.26 from SuSE for these. So I'd really like some sort of statement from SuSE indicating whether or not the potential remote root issue on my system will be addressed by their patch. So, why should they bring out a fixed version, if there were not a _potential_ exploit? Remote root will not be, because apache doesn't run as root, but wwwrun might be. I don't see the point of this discussion. There was a bug, there is a fix. SuSE did a great and fast job.
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
participants (2)
-
Alan Rouse
-
Markus Gaugusch