Re: Bug#381376: Status of CVE-2006-3918 #381376

To: Stefan Fritsch <sf@sfritsch.de>
Cc: debian-apache@lists.debian.org, Lo?c Minier <lool@dooz.org>, 381376@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#381376: Status of CVE-2006-3918 #381376
From: Steve Kemp <skx@debian.org>
Date: Sun, 10 Sep 2006 13:34:30 +0100
Message-id: <[🔎] 20060910123430.GA4038@steve.org.uk>
In-reply-to: <[🔎] 200609091322.25401.sf@sfritsch.de>
References: <[🔎] 20060909103508.GA27884@bee.dooz.org> <[🔎] 200609091322.25401.sf@sfritsch.de>

On Sat, Sep 09, 2006 at 01:22:25PM +0200, Stefan Fritsch wrote:
> On Saturday 09 September 2006 12:35, Lo?c Minier wrote:
> >  I think only apache was uploaded for CVE-2006-3918, and not
> > apache2. Do you intend to issue a DSA for apache2 as well?  Or
> > isn't it affected by the vulnerability?
> >
> >  This is fixed in apache2 >= 2.0.55-4.1 in unstable.
> 
> The issue is less severe for apache2 because it is much more difficult 
> to exploit: apache2 will first wait for the request timeout (usually 
> 5 minutes) before sending the problematic error message.

  I have a pending upload of Apache2 for this, but I've been
 unexpectantly busy.  I did intend it to be a day or two after
 the apache update.

  All being well I'll get it released tomorrow.  If not it will
 have to be midweek.

Steve
--

Reply to:

References:
- Bug#381376: Status of CVE-2006-3918 #381376
  - From: Loïc Minier <lool@dooz.org>
- Re: Bug#381376: Status of CVE-2006-3918 #381376
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Bug#386714: apache2: default vhost configuration points to wrong directory
Next by Date: [bts-link] source package apache2
Previous by thread: Re: Bug#381376: Status of CVE-2006-3918 #381376
Next by thread: Bug#384340: apache: postinst fails when ucf isn't installed
Index(es):
- Date
- Thread