RE: [suse-security] SuSE Apache patch sufficient?
So, why should they bring out a fixed version, if there were not a _potential_ exploit? Remote root will not be, because apache doesn't run as root, but wwwrun might be. I don't see the point of this discussion. There was a bug, there is a fix. SuSE did a great and fast job.
SuSE did not claim to have fixed a remote root exploit. They claimed to have fixed a DDOS. They specifically stated that the bug they addressed could not be used to inject code and gain access to the machine. That doesn't make me very confident that their patch addresses the newly disclosed problem (which specifically DOES inject code and gain access to the machine).
On Thursday, June 20, 2002, at 09:04 AM, Alan Rouse wrote:
So, why should they bring out a fixed version, if there were not a _potential_ exploit? Remote root will not be, because apache doesn't run as root, but wwwrun might be. I don't see the point of this discussion. There was a bug, there is a fix. SuSE did a great and fast job.
SuSE did not claim to have fixed a remote root exploit. They claimed to have fixed a DDOS. They specifically stated that the bug they addressed could not be used to inject code and gain access to the machine. That doesn't make me very confident that their patch addresses the newly disclosed problem (which specifically DOES inject code and gain access to the machine).
The DoS is caused by a buffer overflow that kills the child process, forcing the parent httpd process to spawn a new child. This spawing requires resources, which is your DoS. According to what I've read, that buffer overflow is the same one that some are now using to gain root access. So if the overflow is fixed, the DoS and remote root are fixed. --Jeremy
participants (2)
-
Alan Rouse -
Jeremy Buchmann