SCIENTIFIC-LINUX-USERS Archives

August 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
"Alan J. Flavell" <[log in to unmask]>
Reply To:
Alan J. Flavell
Date:
Thu, 3 Aug 2006 10:50:39 +0100
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (52 lines)
We had a campus alert about the above-mentioned vulnerability 
CVE-2006-3747, saying that it was already being exploited in the wild.

I went on a rather confusing trail on this one.  Maybe I had been
looking in the wrong places, but, just in case it might help others, 
this is what I found.

(Our server's OS is anyway targetted to be updated soon, but for
the moment it's still running SL303).

In RHEL / Scientific Linux / and presumably CentOS, version 3.0.3, the
httpd reports an Apache version like so:

  Server: Apache/2.0.46 (Red Hat)

(hmmm - is it allowed to say R** H** in SL???  ;-)

According to Apache themselves, this is first cured in 2.0.59

But of course RH do not install new versions.  Rather, they back-port
the fix to the version which came with the RHEL release version, and
append a suffix to the RPM name (but not to the server banner).
 
If I query rpm, then I get:

  httpd-2.0.46-56.ent

This is at least suggestive that it's associated with version
2.0.56 - *not* .59 as required.

After quite a bit of hunting around, I stumbled on this:

http://lwn.net/Articles/193340/

which basically says RH had looked at the problem and did not
consider their server to be vulnerable - consequently they did
not intend to distribute an update.

However, one of the followups is hinting that they might have
misunderstood how this vulnerability works.

It does, however, leave open the more general question of how RH 
should be informing the world about their response to security 
advisories which are on the public record, but for which their version 
has been rated as safe. At the moment they seem to be staying quiet, 
which may be at least one excuse that I can give for the commotion 
here.

best regards

-- 

ATOM RSS1 RSS2