Re: Apache 1.3.x security bug in woody? CAN-2003-0460 etc.
* Drew Scott Daniels (umdanie8@cc.UManitoba.CA) wrote :
> On Thu, 7 Aug 2003, Thom May wrote:
>
> > * Drew Scott Daniels (umdanie8@cc.UManitoba.CA) wrote :
> > > Woody's apache 1.3.x seems to be still vulnerable to bug 167752 [1]. Is
> > > this really the case? Fwiw, this *might* be one of the problems which was
> > > fixed upstream with 1.3.28 [2]. Have the other potential security bugs
> > > fixed in 1.3.28 been checked against apache in woody?
> > >
> > Woody's 1.3 is the reason that bug is there. Did you bother reading the bug
> > report? The problems were fixed in a stable security upload.
> > FWIW, these aren't the bugs that were fixed in 1.3.28; since they were
> > implemented in an extremely platform dependent way we're working on cleaning
> > them up in a cross platform friendly manner.
>
> I didn't reread it recently, sorry. I've read it now. While it was put
> into stable and unstable, I'm still not clear as to whether upsteam even
> knows about bug 167752.
>
Ok. I am upstream. When I said
> > since they were
> > implemented in an extremely platform dependent way we're working on
> > cleaning> > them up in a cross platform friendly manner"
I did in fact mean "we" to be upstream, and "they" to be the bugs noted in
167752.
One of the bugs (buffer overflow in htdigest, iirc) is fixed, check the
changelog or viewcvs.
The other two will be.
-Thom
Reply to: