Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
RE: [suse-security] SuSE Apache patch sufficient?
  • From: "Alan Rouse" <ARouse@xxxxxxxx>
  • Date: Thu, 20 Jun 2002 12:04:18 -0400
  • Message-id: <382BC0C28F397F4785E7414B8279F5271B52ED@xxxxxxxxxxxxxxxxxxxxxxx>
> So, why should they bring out a fixed version, if there were not a
> _potential_ exploit? Remote root will not be, because apache doesn't
run
> as root, but wwwrun might be. I don't see the point of this
discussion.
> There was a bug, there is a fix. SuSE did a great and fast job.

SuSE did not claim to have fixed a remote root exploit. They claimed to
have fixed a DDOS. They specifically stated that the bug they addressed
could not be used to inject code and gain access to the machine. That
doesn't make me very confident that their patch addresses the newly
disclosed problem (which specifically DOES inject code and gain access
to the machine).

< Previous Next >
Follow Ups