Subject: | |
From: | |
Reply To: | Alan J. Flavell |
Date: | Thu, 3 Aug 2006 10:50:39 +0100 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
We had a campus alert about the above-mentioned vulnerability
CVE-2006-3747, saying that it was already being exploited in the wild.
I went on a rather confusing trail on this one. Maybe I had been
looking in the wrong places, but, just in case it might help others,
this is what I found.
(Our server's OS is anyway targetted to be updated soon, but for
the moment it's still running SL303).
In RHEL / Scientific Linux / and presumably CentOS, version 3.0.3, the
httpd reports an Apache version like so:
Server: Apache/2.0.46 (Red Hat)
(hmmm - is it allowed to say R** H** in SL??? ;-)
According to Apache themselves, this is first cured in 2.0.59
But of course RH do not install new versions. Rather, they back-port
the fix to the version which came with the RHEL release version, and
append a suffix to the RPM name (but not to the server banner).
If I query rpm, then I get:
httpd-2.0.46-56.ent
This is at least suggestive that it's associated with version
2.0.56 - *not* .59 as required.
After quite a bit of hunting around, I stumbled on this:
http://lwn.net/Articles/193340/
which basically says RH had looked at the problem and did not
consider their server to be vulnerable - consequently they did
not intend to distribute an update.
However, one of the followups is hinting that they might have
misunderstood how this vulnerability works.
It does, however, leave open the more general question of how RH
should be informing the world about their response to security
advisories which are on the public record, but for which their version
has been rated as safe. At the moment they seem to be staying quiet,
which may be at least one excuse that I can give for the commotion
here.
best regards
--
|
|
|