[nycbug-talk] Apache Vuln, mod_rewrite

Dan Langille dan at langille.org
Wed Aug 2 13:19:35 EDT 2006


On 2 Aug 2006 at 12:46, Isaac Levy wrote:

> Hi Folks,
> 
> I'm emailing to somewhat gently sound the alarm, there's an esoteric  
> Apache vulnerability which is not getting much attention (and from  
> what I understand, didn't even hit the Apache lists when the patches  
> were released?)
> 
> I went through patching systems this weekend after seeing this story,
> 
> http://isc.sans.org/diary.php?storyid=1523
> 
> Anouncements:
> 
> Apache 1.3.37 http://www.apache.org/dist/httpd/Announcement1.3.html
> Apache 2.0.59 http://www.apache.org/dist/httpd/Announcement2.0.html
> Apache 2.2.3  http://www.apache.org/dist/httpd/Announcement2.2.html
> 
> --
> Thing is, today this hit undeadly, indeed a fine publication online-  
> but a far cry from what I'd consider 'sane channels' for breaking  
> security vulnerability information.  (i.e. nothing has even yet been  
> posted to 'announce at httpd.apache.org' mailing list)
> 
> With that, this vulnerability is important, (if you use/enable  
> mod_rewrite, or run on systems without ProPolice/SSP stack guards).

The FreeBDS ports tree was patched (at least for www/apache13) on the 
27th:
  http://www.freshports.org/www/apache13/

Something was added to security/vuxml about this on the 28th:
  http://www.freshports.org/security/vuxml/
  http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-
000c6ec775d9.html  (or http://tinyurl.com/jwa97)

Those with security/portaudit installed would have been notified of 
this issue and urged to upgrade.  It is because of issues such as 
this that I run security/portaudit on all my FreeBSD boxes.

-- 
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php





More information about the talk mailing list