LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

August 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS August 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Apache version and CVE-2006-3747
From:	Stephen John Smoogen <[log in to unmask]>
Reply To:	Stephen John Smoogen <[log in to unmask]>
Date:	Thu, 3 Aug 2006 13:24:02 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (58 lines)

On 8/3/06, Jan Iven <[log in to unmask]> wrote:
> On Thu, 2006-08-03 at 10:50 +0100, Alan J. Flavell wrote:
> > We had a campus alert about the above-mentioned vulnerability
> > CVE-2006-3747, saying that it was already being exploited in the wild.
> >
..

..
> > But of course RH do not install new versions.  Rather, they back-port
> > the fix to the version which came with the RHEL release version, and
> > append a suffix to the RPM name (but not to the server banner).
>
> (yes, we've griped about this but they don't want to change this).
>

Red Hat probably won't change it because it is not in their interest
to. The purpose of the Enterprise Linux is supposed to be a pretty
static distribution that a vendor knows that ABI/API changes should be
minor and only occur in updates. The banks, stock exchanges, etc that
from what I can tell are the primary money pushers have always wanted
that ( remembers a meeting where some Fortune 50 company wanted RHL
4.2 supported til 2007 with only security fixes backported like they
could get from AIX, HP-UX, etc).

I am figuring that the change from Mozilla to Seamonkey must have been
a rankerous debate where a lot of assurances (monetary) had to be
given .

> > It does, however, leave open the more general question of how RH
> > should be informing the world about their response to security
> > advisories which are on the public record, but for which their version
> > has been rated as safe. At the moment they seem to be staying quiet,
> > which may be at least one excuse that I can give for the commotion
> > here.
>
> They preemptively informed their customers that they considered
> themselves (and anybody who compiles their apache using their compilers)
> not to be vulnerable to this particular issue (they'll still fix it as a
> bug). We could still ask them to include a link to their FAQ in the CVE
> entry.. and the more people publically ask for clarification, the more
> likely is that they will consider this.
>

They also gave their information to MITRE so that people who got the
MITRE CVE release would know that RH thought it was not vulnerable due
to XYZ reasons.

> Regards
> jan
>

-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV