Can someone clarify for me, please (not directly debian related, I know, but...) - the patches appear to only be to the chunk-encoding functions in mod_proxy. If mod_proxy isn't loaded, is apache still vulnerable?
KJL On Thu, 2002-06-20 at 20:30, Paul Hosking wrote: > On Wed, 2002-06-19 at 06:57, René Seindal wrote: > > > If you use 32 bit machines you are 'only' vulnerable to a DoS attack, > > not a real compromise of your servers. > > Apache version 1.3.24 is vulnerable. The later version 1.3.26 is a > security fix to this issue and it would seem it shall be available for > download shortly[1]. > > It would be worth noting that there has been later evidence to show a > remote root exploit using this vulnerability[2] as demonstrated with an > actual exploit against OpenBSD. The source code[3] to the exploit > includes comments that claim successful testing against Linux 2.4, among > others. > > > [1] > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=150284&repeatmerged=yes > > [2] http://online.securityfocus.com/bid/5033/info/ > > [3] > http://downloads.securityfocus.com/vulnerabilities/exploits/apache-scalp.c > > -- > > .: Paul Hosking . [EMAIL PROTECTED] > .: InfoSec > > .: PGP KeyID: 0x42F93AE9 > .: 7B86 4F79 E496 2775 7945 FA81 8D94 196D 42F9 3AE9 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]