[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk HandlingVulnerability
- Subject: Re: [cobalt-developers] Fwd: CERT Advisory CA-2002-17 Apache Web Server Chunk HandlingVulnerability
- From: "William L. Thomson Jr." <wlt@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed Jun 19 13:05:16 2002
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
On Wed, 2002-06-19 at 12:26, Jeff Lasman wrote:
> jale@xxxxxxxxxx wrote:
>
> > Since the previous message mentioned this, I thought I would pass it on for
> > those who need to know these things. It's sometimes nice to have a brother
> > who is a criminal defense attorney who tracks these things for me :)
>
> This vulnerability does NOT appear to affect Cobalt RaQs... keep
> reading...
I did and it was somewhat of a confusing alert?
> >II. Impact
> >
> >For Apache versions 1.3 through 1.3.24 inclusive, this vulnerability
> >may allow the execution of arbitrary code by remote attackers. Several
> >sources have reported that this vulnerability can be used by intruders
> >to execute arbitrary code on Windows platforms. Additionally, the
> >Apache Software Foundation has reported that a similar attack may
> >allow the execution of arbitrary code on 64-bit UNIX systems.
>
> Our systems are neither running Windows nor are they running 64-bit unix
> or linux.
>
> I got a kick out of this paragraph:
Yes, but did you read
http://httpd.apache.org/info/security_bulletin_20020617.txt
Which states
In Apache 1.3 the issue causes a stack overflow. Due to the nature of
the
overflow on 32-bit Unix platforms this will cause a segmentation
violation
and the child will terminate.
So if someone wanting to take advantage of the exploit targeted apaches
child threads, and was able to execute fast enough it could restrict or
limit apaches ability to create child threads that will not be destroyed
do to a segmentation fault?
Am I reading this, and thinking wrong? Make sense to me?
> >Please note that Apache Server, and all Linux Affinity software, is
> >offered on an "as-is" basis. IBM does not own the source code for this
> >software, nor has it developed and fully tested this code. IBM does
> >not support these software packages.
>
> Boy, their advertising and this disclaimer are sure different <smile>.
Well there advertising does not say they will warranty open source
software, but I would assume they at least tested it.
Big Blue is big enough, so no excuse can justify them using,
distributing, but not testing open source software?
> >At the same time users of the Red Hat
> >Network will be able to update their systems using the 'up2date' tool.
>
> The Red Hat Network is great <smile>, but you can't use it with RaQs
> <frown>.
Yes, but also why would RedHat release and update if it did not effect
their os implementation of Apache.
Granted that the exploit may not be that extreme on 32-bit Unix
platforms as the others, but I could see Cobalt owners also falling
victim to an exploit if it is not addressed, before the exploiters
address it. :)
> Jeff
> --
> Jeff Lasman <jblists@xxxxxxxxxxxxx>
> Linux and Cobalt/Sun/RaQ Consulting
> nobaloney.net, P. O. Box 52672, Riverside, CA 92517
> voice: +1 909 778-9980 * fax: +1 909 548-9484
>
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
>
--
Sincerely,
William L. Thomson Jr.
Obsidian-Studios, Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone 707.766.9509
Fax 707.766.8989
http://www.obsidian-studios.com