Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk HandlingVulnerability

[Jeff Lasman <jblists@xxxxxxxxxxxxx>]

jale@xxxxxxxxxx wrote:

> Since the previous message mentioned this, I thought I would pass it on for
> those who need to know these things. It's sometimes nice to have a brother
> who is a criminal defense attorney who tracks these things for me :)

This vulnerability does NOT appear to affect Cobalt RaQs... keep
reading...

>II. Impact
>
>For Apache versions 1.3 through 1.3.24 inclusive, this vulnerability
>may allow the execution of arbitrary code by remote attackers. Several
>sources have reported that this vulnerability can be used by intruders
>to execute arbitrary code on Windows platforms. Additionally, the
>Apache Software Foundation has reported that a similar attack may
>allow the execution of arbitrary code on 64-bit UNIX systems.

Our systems are neither running Windows nor are they running 64-bit unix
or linux.

I got a kick out of this paragraph:

>Please  note  that  Apache Server, and all Linux Affinity software, is
>offered on an "as-is" basis. IBM does not own the source code for this
>software,  nor  has  it developed and fully tested this code. IBM does
>not support these software packages.

Boy, their advertising and this disclaimer are sure different <smile>.

>At the same time users of the Red Hat
>Network will be able to update their systems using the 'up2date' tool.

The Red Hat Network is great <smile>, but you can't use it with RaQs
<frown>.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net, P. O. Box 52672, Riverside, CA  92517
voice: +1 909 778-9980  *  fax: +1 909 548-9484