On Tue, Jun 25, 2002 at 09:26:56AM -0400, Alan Rouse wrote:
According to that announcement, "On 32bit architectures, this overflow cannot be exploited to inject code into the httpd process and gain access to the machine".
Yes, that was before someone proved the Apache team wrong and published an exploit. We will update the advisory soonishly; for now our resources are somewhat tied up dealing with the OpenSSH issue.
Despite the condescending replies I've received from some on this list, I think my question is reasonable. I simply would like to hear from SuSE whether or not you believe this patch addresses the remote access threat which was disclosed after your patch was released.
The bug has not changed; it was just an exploit that got released which changed the perception of the bug's impact. In other words: we believe our patch fixes the problem. Cheers, Olaf
-----Original Message----- From: Peter Poeml [mailto:poeml@suse.de] Sent: Monday, June 24, 2002 5:01 PM To: Alan Rouse Cc: suse-security@suse.com Subject: Re: RE: [suse-security] Fwd: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
On Mon, Jun 24, 2002 at 04:21:08PM -0400, Alan Rouse wrote:
Is another version coming soon?
It's not the label of our package that matters -- but what's inside :)
Peter
And how are we supposed to know what is inside unless you tell us?
If the information in the respective annoucement is not enough, or want to prove us wrong, you can download the source RPM and look into it, read the patch and so on. Of course, the amount of detail in the announcement could be subject of discussion. :^}
By the way, just as a contrary effect a package might contain fixes that are not typically included in a given released version, such as fixes that are already in cvs but not in a certain release.
Peter
-- VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day...
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann