[plug] Red Hat Linux v8.0 query
Paul Dean
paul at thecave.ws
Thu Feb 13 16:05:38 WST 2003
Hya Brett,
Here is the last RH Advisory about Apache;
RHSA-2002:222-21
Buffer overflows in the ApacheBench support program (ab.c) in Apache
versions prior to 1.3.27, and Apache versions 2.x prior to 2.0.43, allow
a malicious Web server to cause a denial of service (DoS) and possibly
execute arbitrary code via a long response. The Common Vulnerabilities
and Exposures project has assigned the name CAN-2002-0843 to this issue.
Two cross-site scripting (XSS) vulnerabilities are present in the error
pages for the default "404 Not Found" error and for the error response
when a plain HTTP request is received on an SSL port. Both of these
issues are only exploitable if the "UseCanonicalName" setting has
been changed to "Off", and wildcard DNS is in use.
These issues could allow remote attackers to execute scripts as
other webpage visitors, for instance, to steal cookies.
These issues affect versions of Apache 1.3 before 1.3.26,
versions of Apache 2.0 before 2.0.43, and versions of mod_ssl before
2.8.12. (CAN-2002-0840, CAN-2002-1157)
RH Released package updates on 2002-11-25, and the advisory was released
on 2002-12-12.
iiNet, Planetmirror, Aarnet all have the updates on thier mirrors.
HTH.
Thanks...
On Thu, 13 Feb 2003, Bret Busby wrote:
>
> I had been advised that RH Linux v8.0 itself is okay, but that the
> included Apache (v2.0, I believe) is broken.
>
> Can someone please clarify this, and, advise whether, if the Apache
> is/was broken, the Apache has been fixed?
>
> Thanks in anticipation.
>
>
--
Paul...
/***** Experience is that marvelous thing that enables you to
recognize a mistake when you make it again.
-- Franklin P. Jones *****/
/*****All programmers are playwrights and all computers are lousy actors.
-- Unknown*****/
/* How smart are Computers? They seem to need instructions all the time...
-- Me */
More information about the plug
mailing list