[plug] Red Hat Linux v8.0 query

Thu Feb 13 16:05:38 WST 2003

Hya Brett,

Here is the last RH Advisory about Apache;

		RHSA-2002:222-21
		Buffer overflows in the ApacheBench support program (ab.c) in Apache
		versions prior to 1.3.27, and Apache versions 2.x prior to 2.0.43, allow
		a malicious Web server to cause a denial of service (DoS) and possibly
		execute arbitrary code via a long response.  The Common Vulnerabilities
		and	Exposures project has assigned the name CAN-2002-0843 to this issue.

		Two cross-site scripting (XSS) vulnerabilities are present in the error
		pages for the default "404 Not Found" error and for the error response
		when a plain HTTP request is received on an SSL port. Both of these
		issues are only exploitable if the "UseCanonicalName" setting has
		been changed to "Off", and wildcard DNS is in use.
		These issues could allow remote	attackers to execute scripts as 
		other webpage visitors, for instance, to steal cookies. 
		These issues affect versions of Apache 1.3 before 1.3.26,
		versions of Apache 2.0 before 2.0.43, and versions of mod_ssl before
		2.8.12. (CAN-2002-0840, CAN-2002-1157)

RH Released package updates on 2002-11-25, and the advisory was released
on 2002-12-12.

iiNet, Planetmirror, Aarnet all have the updates on thier mirrors.

HTH.
Thanks...

On Thu, 13 Feb 2003, Bret Busby wrote:

> 
> I had been advised that RH Linux v8.0 itself is okay, but that the 
> included Apache (v2.0, I believe) is broken.
> 
> Can someone please clarify this, and, advise whether, if the Apache 
> is/was broken, the Apache has been fixed?
> 
> Thanks in anticipation.
> 
> 

-- 
Paul...

/***** Experience is that marvelous thing that enables you to 
	recognize a mistake when you make it again. 
	-- Franklin P. Jones *****/

/*****All programmers are playwrights and all computers are lousy actors.
           -- Unknown*****/

/* How smart are Computers? They seem to need instructions all the time... 
	-- Me */