On February 13, 2012 17:28 , Murthy Ganti
<murthy.ga...@cbsinteractive.com> wrote:
I am trying to find out if one of my Apache installation is vulnerable
to CVS-2011-4317 or not. The description of this vulnerability says
that this vulnerability exists in "2.2.x through 2.2.21, when the
Revision 1179239 patch is in place".
My question is how do I determine if this Revision patch is in place
or not by looking at the source code for our installation ( I have
2.2.17 and 2.2.19 installed)
If you see the following lines (the ones in green in the right-hand
column) in the file server/protocol.c then the revision 1179239 patch is
in place:
https://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=1178566&r2=1179239&pathrev=1179239&diff_format=h
The most likely situation in which this would be the case is if you are
using a version of Apache HTTP Server that is patched for you by an
upstream distributor and you upgraded to a version in which the
distributor back-ported the fix for CVE-2011-3368 but you did not
upgrade to a version in which the distributor back-ported the fix for
CVE-2011-4317.
Or, this could arise if you compile 2.2.17 or 2.2.19 from source
yourself and you patched the source to fix CVE-2011-3368 thus creating
the vulnerability described in CVE-2011-4317 but you did not apply the
patch to fix CVE-2011-4317 for some reason, despite applying other fixes.
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
