[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache Exploit Released - where is an update for Woody?

On Thu, Jun 20, 2002 at 12:04:40PM -0500, Derrick 'dman' Hudson wrote:
> On Thu, Jun 20, 2002 at 01:29:04PM +1000, John wrote:
> | There's now an exploit in the wild for Apache (the chunked whatever 
> | bug). The DSA mentions an update which is version 1.3.9-14.1
> | 
> | We need a version > 1.2.12, and are running 1.3.23 from woody. Is there 
> | any idea where a patched 1.3.23 for woody might be? Or should I install 
> | from source from apache.org?
> 
> Woody currently has 1.3.24-3 (as does sid).  (at least, according to
> the mirror I use)
> 
> Nonetheless, the DSA says it affects 64-bit architectures.  It sounds
> like if you're not using a 64-bit system (eg SPARC or ia64) then you
> aren't vulnerable.
> 
> <quote>
> ... might allow arbitrary code execution on 64 bit architectures.
> </quote>

The exploit proved this false. The exploit was for openbsd on i386. It would
probably be trivial to port it to linux. It's just a matter of time... Time
probably measured in hours.


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: