Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
RE: [suse-security] SuSE Apache patch sufficient?
  • From: "Alan Rouse" <ARouse@xxxxxxxx>
  • Date: Thu, 20 Jun 2002 11:53:26 -0400
  • Message-id: <382BC0C28F397F4785E7414B8279F5271B52EC@xxxxxxxxxxxxxxxxxxxxxxx>
>> So either they are bluffing or the eploit does exist. I prefer not
to
>> assume the former. And I don't exactly consider these folks a
trusted
>> third party.
>
> you're right - this also confused me. I guess they are bluffing...
> So I tried it against different systems and it did'nt work.

The comments imply that there is a different exploit for each OS
(different "peculiarity" in each one makes it possible) and they only
released the one for OpenBSD.

Even Apache seems to have believed that it was not exploitable on 32 bit
*nix. They are recommending upgrading to 1.3.26, which they say
corrects the "core" problem. Hopefully they are right. Since the Linux
exploit has not been published it's hard to know whether this fixes the
problem... but if it is sufficient against the published OpenBSD exploit
then I guess we have to go with that.

However, I'm patching SuSE 7.0, 7.1, and 7.2. I guess I'm not going to
get exactly 1.3.26 from SuSE for these. So I'd really like some sort of
statement from SuSE indicating whether or not the potential remote root
issue on my system will be addressed by their patch.

< Previous Next >
Follow Ups