I believe if you read the debian-devel recent archives....someone already has. Phil On Tue, Jun 18, 2002 at 11:33:10AM -0400, Loren Jordan wrote: > According to the notice on Apache's web site, this is an exploit for a > denial of service but not a way to run bogus commands on the exploited > machine (for 32 bit machines). > > Has anybody verified this? Is there any time frame for us to expect an > updated apache.deb on security.d.o? > > > The notice from iss.net shows a 1 line patch to the http_protocol.c file, > but a previous message in this thread says it might not/doesn't fix the > problem. > > Is this where the fix needs to be? I would be happy to get that snippet > from cvs and whip up my own apache.deb until there is an official security > release. > > Thanks for any info. > Loren > > > At 05:18 AM 6/18/2002 -0500, David Stanaway wrote: > >On Tue, 2002-06-18 at 04:07, Wichert Akkerman wrote: > >> Previously Timm Gleason wrote: > >> > I looked through the changelogs and the changelog.Debian files, but > >> > couldn't conclusively decide if the current vulnerability in Apache has > >> > been taken care of or not. Anyone else know? > >> > >> Yes, it's not fixed yet. > >> > > > >according to Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> on bugtraq, > >> 3) Casting to unsigned int does not help that much if the variable in > >> question is a long. > >> > >> The Apache CVS repository now seems contain a correct patch. > > > > > >-- > >David Stanaway > > > -- > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmaster@lists.debian.org >
Attachment:
pgpxMzzYVAApq.pgp
Description: PGP signature