[nycbug-talk] Apache Vuln, mod_rewrite

Isaac Levy ike at lesmuug.org
Wed Aug 2 12:46:20 EDT 2006


Hi Folks,

I'm emailing to somewhat gently sound the alarm, there's an esoteric  
Apache vulnerability which is not getting much attention (and from  
what I understand, didn't even hit the Apache lists when the patches  
were released?)

I went through patching systems this weekend after seeing this story,

http://isc.sans.org/diary.php?storyid=1523

Anouncements:

Apache 1.3.37 http://www.apache.org/dist/httpd/Announcement1.3.html
Apache 2.0.59 http://www.apache.org/dist/httpd/Announcement2.0.html
Apache 2.2.3  http://www.apache.org/dist/httpd/Announcement2.2.html

--
Thing is, today this hit undeadly, indeed a fine publication online-  
but a far cry from what I'd consider 'sane channels' for breaking  
security vulnerability information.  (i.e. nothing has even yet been  
posted to 'announce at httpd.apache.org' mailing list)

With that, this vulnerability is important, (if you use/enable  
mod_rewrite, or run on systems without ProPolice/SSP stack guards).

Best,
.ike





More information about the talk mailing list