[nycbug-talk] Apache Vuln, mod_rewrite
Dan Langille
dan at langille.org
Wed Aug 2 13:19:35 EDT 2006
On 2 Aug 2006 at 12:46, Isaac Levy wrote:
> Hi Folks,
>
> I'm emailing to somewhat gently sound the alarm, there's an esoteric
> Apache vulnerability which is not getting much attention (and from
> what I understand, didn't even hit the Apache lists when the patches
> were released?)
>
> I went through patching systems this weekend after seeing this story,
>
> http://isc.sans.org/diary.php?storyid=1523
>
> Anouncements:
>
> Apache 1.3.37 http://www.apache.org/dist/httpd/Announcement1.3.html
> Apache 2.0.59 http://www.apache.org/dist/httpd/Announcement2.0.html
> Apache 2.2.3 http://www.apache.org/dist/httpd/Announcement2.2.html
>
> --
> Thing is, today this hit undeadly, indeed a fine publication online-
> but a far cry from what I'd consider 'sane channels' for breaking
> security vulnerability information. (i.e. nothing has even yet been
> posted to 'announce at httpd.apache.org' mailing list)
>
> With that, this vulnerability is important, (if you use/enable
> mod_rewrite, or run on systems without ProPolice/SSP stack guards).
The FreeBDS ports tree was patched (at least for www/apache13) on the
27th:
http://www.freshports.org/www/apache13/
Something was added to security/vuxml about this on the 28th:
http://www.freshports.org/security/vuxml/
http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-
000c6ec775d9.html (or http://tinyurl.com/jwa97)
Those with security/portaudit installed would have been notified of
this issue and urged to upgrade. It is because of issues such as
this that I run security/portaudit on all my FreeBSD boxes.
--
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php
More information about the talk
mailing list