Re: Apache Exploit Released - where is an update for Woody?
On Thu, Jun 20, 2002 at 12:04:40PM -0500, Derrick 'dman' Hudson wrote:
> On Thu, Jun 20, 2002 at 01:29:04PM +1000, John wrote:
> | There's now an exploit in the wild for Apache (the chunked whatever
> | bug). The DSA mentions an update which is version 1.3.9-14.1
> |
> | We need a version > 1.2.12, and are running 1.3.23 from woody. Is there
> | any idea where a patched 1.3.23 for woody might be? Or should I install
> | from source from apache.org?
>
> Woody currently has 1.3.24-3 (as does sid). (at least, according to
> the mirror I use)
>
> Nonetheless, the DSA says it affects 64-bit architectures. It sounds
> like if you're not using a 64-bit system (eg SPARC or ia64) then you
> aren't vulnerable.
>
> <quote>
> ... might allow arbitrary code execution on 64 bit architectures.
> </quote>
The exploit proved this false. The exploit was for openbsd on i386. It would
probably be trivial to port it to linux. It's just a matter of time... Time
probably measured in hours.
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: