Has anybody verified this? Is there any time frame for us to expect an updated apache.deb on security.d.o?
The notice from iss.net shows a 1 line patch to the http_protocol.c file, but a previous message in this thread says it might not/doesn't fix the problem.
Is this where the fix needs to be? I would be happy to get that snippet from cvs and whip up my own apache.deb until there is an official security release.
Thanks for any info. Loren At 05:18 AM 6/18/2002 -0500, David Stanaway wrote:
On Tue, 2002-06-18 at 04:07, Wichert Akkerman wrote: > Previously Timm Gleason wrote: > > I looked through the changelogs and the changelog.Debian files, but > > couldn't conclusively decide if the current vulnerability in Apache has > > been taken care of or not. Anyone else know? > > Yes, it's not fixed yet. > according to Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> on bugtraq, > 3) Casting to unsigned int does not help that much if the variable in > question is a long. > > The Apache CVS repository now seems contain a correct patch. -- David Stanaway
-- To UNSUBSCRIBE, email to debian-security-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org