Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
RE: [suse-security] SuSE Apache patch sufficient?
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Thu, 20 Jun 2002 17:38:10 +0200 (MEST)
  • Message-id: <Pine.LNX.4.44.0206201736470.31712-100000@xxxxxxxxxxxx>
> > Again:
> > No, the exploit posted on vulnwatch this morning works agains xBSD
> > only.
>
> If you read the comments in the .c file, you will see their claim that
> they have exploited this under linux. Quoting below:
>
> * However, contrary to what ISS would have you believe, we have
> * successfully exploited this hole on the following operating systems:
> *
> * Sun Solaris 6-8 (sparc/x86)
> * FreeBSD 4.3-4.5 (x86)
> * OpenBSD 2.6-3.1 (x86)
> * Linux (GNU) 2.4 (x86)
>
> So either they are bluffing or the eploit does exist. I prefer not to
> assume the former. And I don't exactly consider these folks a trusted
> third party.
>

Unless I see the exploit working, I don't believe it.

This, however, does not have any influence on the severity of the bug: a
_possible_ code execution vulnerability is just as bad as an evident code
execution vulnerability.


Roman.
--
- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE Linux AG - Security Phone: // you need vision!"
| N├╝rnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -


< Previous Next >
Follow Ups
References