[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [rhn-users] Where is the Apache 1.3.29 update?
- From: Jim Popovitch <jimpop yahoo com>
- To: rhn-users <rhn-users redhat com>
- Subject: Re: [rhn-users] Where is the Apache 1.3.29 update?
- Date: Fri, 31 Oct 2003 18:39:55 -0500
I found my own answer on the debian-security list. To Quote Matt
Wilcox:
___________
We believe that there is no security update required because
intentionally exploiting this vulnerability requires access to
apache's configuration (either http.conf or .htaccess). If a
malicious user has access to those configuration files, they
can do many other Bad Things to apache anyway.
So this is not worth fixing.
In the other case, an admin who unintentionally sets up a rule
that would cause this buffer overflow also seems
terribly unlikely.
"Fix buffer overflows in mod_alias and mod_rewrite which
occurred if one configured a regular expression with more than
9 captures."
Therefore, we believe no security update is warranted.
_________
Based on this text (of a Debian guru I trust) there is no need for
RedHat to provide an update yet.
I hope this helps others; if not, I apologize for wasting bandwidth.
-Jim P.
On Fri, 2003-10-31 at 08:39, Jim Popovitch wrote:
> Is RH going to push an Apache 1.3.29 update anytime soon? According to
> the Apache Software Foundation:
>
> "This version of Apache is principally a bug and security fix
> release."
>
> I think that qualifies it for a PDQ RHN release... If not, can we get an
> explanation on why not. Thanks.
>
> -Jim P.
>
>
> _______________________________________________
> rhn-users mailing list
> rhn-users redhat com
> https://www.redhat.com/mailman/listinfo/rhn-users
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]