Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: [suse-security] SuSE Apache patch sufficient?
  • From: Jeremy Buchmann <jeremy@xxxxxxxxxxxxxxx>
  • Date: Thu, 20 Jun 2002 11:50:25 -0700
  • Message-id: <94EEEB66-847E-11D6-B5AA-000502E740BA@xxxxxxxxxxxxxxx>

On Thursday, June 20, 2002, at 09:04 AM, Alan Rouse wrote:

So, why should they bring out a fixed version, if there were not a
_potential_ exploit? Remote root will not be, because apache doesn't
run
as root, but wwwrun might be. I don't see the point of this
discussion.
There was a bug, there is a fix. SuSE did a great and fast job.

SuSE did not claim to have fixed a remote root exploit. They claimed to
have fixed a DDOS. They specifically stated that the bug they addressed
could not be used to inject code and gain access to the machine. That
doesn't make me very confident that their patch addresses the newly
disclosed problem (which specifically DOES inject code and gain access
to the machine).

The DoS is caused by a buffer overflow that kills the child process,
forcing the parent httpd process to spawn a new child. This spawing
requires resources, which is your DoS. According to what I've read,
that buffer overflow is the same one that some are now using to gain
root access. So if the overflow is fixed, the DoS and remote root are fixed.

--Jeremy


< Previous Next >
References