Re: apache security issue (with upstream new release)

[Matthew Wilcox <willy@debian.org>]

On Fri, Oct 31, 2003 at 09:07:57PM +0900, Hideki Yamane wrote:
>  I checked woody's apache source and I cannot find any patches 
>  for mod_alias.c in apache-1.3.26/debian/patches directory.
>  So I guess debian's apache is effected by this vulnerability.
>  
>  Do I misunderstand this? Does apache package in debian not
>  require security update?
> 
>  please tell me. thanks.

We believe that there is no security update required because intentionally
exploiting this vulnerability requires access to apache's configuration
(either http.conf or .htaccess).  If a malicious user has access to those
configuration files, they can do many other Bad Things to apache anyway.
So this is not worth fixing.

In the other case, an admin who unintentionally sets up a rule that
would cause this buffer overflow also seems terribly unlikely.

"Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures."

Therefore, we believe no security update is warranted.

[And I'm getting bored of answering this question.]

-- 
"It's not Hollywood.  War is real, war is primarily not about defeat or
victory, it is about death.  I've seen thousands and thousands of dead bodies.
Do you think I want to have an academic debate on this subject?" -- Robert Fisk