Re: Apache Exploit Released - where is an update for Woody?

["Ian D. Stewart" <idstewart@compuvative.com>]

On 2002.06.20 22:02 Derrick 'dman' Hudson wrote:
> On Thu, Jun 20, 2002 at 01:58:23PM -0500, Gary Turner wrote:
> | On Thu, 20 Jun 2002 12:04:40 -0500, Derrick 'dman' Hudson wrote:
> |
> | >On Thu, Jun 20, 2002 at 01:29:04PM +1000, John wrote:
> | <snip>
> | >Nonetheless, the DSA says it affects 64-bit architectures.  It
> sounds
> | >like if you're not using a 64-bit system (eg SPARC or ia64) then
> you
> | >aren't vulnerable.
> |
> | From Linux Weekly News http://lwn.net 6/20/02
> |
> | "Note also that an exploit for 32-bit systems has been posted. It
> was
> | originally stated that 32-bit systems were not vulnerable to
> | remote exploits, but that claim has been demonstrated to be false.
> Given
> | the nature of this vulnerability, anybody running an Apache
> | server should upgrade sooner rather than later."
>
> Thanks all for the correct details.  Isn't it great when the fix is
> released *before* the worm?

Actually, it wasn't.  This exploit has been reported in the while for 
at least a week.  In fact, from what I understand, there were some hard 
feelings between the Apache Foundation and ISS explicitly because they 
(the Apache Foundation) weren't notified in time to release a patch 
before ISS reported the exploit.


Ian


--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org