[nycbug-talk] Apache Vuln, mod_rewrite
Isaac Levy
ike at lesmuug.org
Wed Aug 2 12:46:20 EDT 2006
Hi Folks,
I'm emailing to somewhat gently sound the alarm, there's an esoteric
Apache vulnerability which is not getting much attention (and from
what I understand, didn't even hit the Apache lists when the patches
were released?)
I went through patching systems this weekend after seeing this story,
http://isc.sans.org/diary.php?storyid=1523
Anouncements:
Apache 1.3.37 http://www.apache.org/dist/httpd/Announcement1.3.html
Apache 2.0.59 http://www.apache.org/dist/httpd/Announcement2.0.html
Apache 2.2.3 http://www.apache.org/dist/httpd/Announcement2.2.html
--
Thing is, today this hit undeadly, indeed a fine publication online-
but a far cry from what I'd consider 'sane channels' for breaking
security vulnerability information. (i.e. nothing has even yet been
posted to 'announce at httpd.apache.org' mailing list)
With that, this vulnerability is important, (if you use/enable
mod_rewrite, or run on systems without ProPolice/SSP stack guards).
Best,
.ike
More information about the talk
mailing list