You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Joe Tomcat <to...@mobile.mp> on 2002/06/19 07:13:00 UTC
Re: FLAWS FOUND IN APACHE
It sounds to me like the only people who need to worry are those who run the
affected versions on Windows * and on 64 bit systems. For most of us who run
on 32 bit systems on Linux/*BSD/Unix, we don't need to worry, right?
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: FLAWS FOUND IN APACHE
Posted by Nikola Milutinovic <Ni...@ev.co.yu>.
> I think the httpd.apache pages show an update already available
> (1.3.26/2.0.39). Am I mis-reading that?
I'm downloading it as we speak.
Nix.
Re: FLAWS FOUND IN APACHE
Posted by Joel Rees <jo...@alpsgiken.gr.jp>.
Nikola Milutinovic iwaku,
> Anyway, a buffer overflow always adds a question mark, so until there is a new Apache release, be on the lookout.
I think the httpd.apache pages show an update already available
(1.3.26/2.0.39). Am I mis-reading that?
(ISS's patch is said to be insufficient.)
--
Joel Rees <jo...@alpsgiken.gr.jp>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: FLAWS FOUND IN APACHE
Posted by Nikola Milutinovic <Ni...@ev.co.yu>.
> > It sounds to me like the only people who need to worry are those who run the
> > affected versions on Windows * and on 64 bit systems. For most of us who run
> > on 32 bit systems on Linux/*BSD/Unix, we don't need to worry, right?
>
> Not exactly. The bug has been reproduced on Windows and some 64-bit UNIX platforms.
> It doesn't mean that it doesn't exist on 32-bit UNIX versions. It could be so, but until we
> hear from guys at RedHat and other Linux distros, we will not know for sure.
>
> Anyway, a buffer overflow always adds a question mark, so until there is a new Apache release, be on the lookout.
I've just re-read Apache's explanation:
----
In Apache 1.3 the issue causes a stack overflow. Due to the nature of the
overflow on 32-bit Unix platforms this will cause a segmentation violation
and the child will terminate. However on 64-bit platforms the overflow
can be controlled and so for platforms that store return addresses on the
stack it is likely that it is further exploitable. This could allow
arbitrary code to be run on the server as the user the Apache children are
set to run as. We have been made aware that Apache 1.3 on Windows is
exploitable in a similar way as well.
----
Luckily, I'm running 2.0.36 (on a 64-bit platform), so the worst thing would be a denial of service. Since it is on the intranet, should I see signs of Apache dying, somebody better be dead >:-)
Nix.
Nix.
Re: FLAWS FOUND IN APACHE
Posted by Nikola Milutinovic <Ni...@ev.co.yu>.
> It sounds to me like the only people who need to worry are those who run the
> affected versions on Windows * and on 64 bit systems. For most of us who run
> on 32 bit systems on Linux/*BSD/Unix, we don't need to worry, right?
Not exactly. The bug has been reproduced on Windows and some 64-bit UNIX platforms. It doesn't mean that it doesn't exist on 32-bit UNIX versions. It could be so, but until we hear from guys at RedHat and other Linux distros, we will not know for sure.
Anyway, a buffer overflow always adds a question mark, so until there is a new Apache release, be on the lookout.
Nix.