On Thu, 2006-08-03 at 10:50 +0100, Alan J. Flavell wrote:
> We had a campus alert about the above-mentioned vulnerability
> CVE-2006-3747, saying that it was already being exploited in the wild.
>
> I went on a rather confusing trail on this one. Maybe I had been
> looking in the wrong places, but, just in case it might help others,
> this is what I found.
>
> (Our server's OS is anyway targetted to be updated soon, but for
> the moment it's still running SL303).
(doesn't matter, SL4 has a similar issue)
..
> But of course RH do not install new versions. Rather, they back-port
> the fix to the version which came with the RHEL release version, and
> append a suffix to the RPM name (but not to the server banner).
(yes, we've griped about this but they don't want to change this).
> If I query rpm, then I get:
>
> httpd-2.0.46-56.ent
>
> This is at least suggestive that it's associated with version
> 2.0.56 - *not* .59 as required.
No, this (AFAIK) has nothing to do with the apache release, it is just
the 59th version they have redone the package. As Jarek points out, what
actually got fixed is usually in the RPM changelog.
> After quite a bit of hunting around, I stumbled on this:
>
> http://lwn.net/Articles/193340/
>
> which basically says RH had looked at the problem and did not
> consider their server to be vulnerable - consequently they did
> not intend to distribute an update.
>
> However, one of the followups is hinting that they might have
> misunderstood how this vulnerability works.
>
> It does, however, leave open the more general question of how RH
> should be informing the world about their response to security
> advisories which are on the public record, but for which their version
> has been rated as safe. At the moment they seem to be staying quiet,
> which may be at least one excuse that I can give for the commotion
> here.
They preemptively informed their customers that they considered
themselves (and anybody who compiles their apache using their compilers)
not to be vulnerable to this particular issue (they'll still fix it as a
bug). We could still ask them to include a link to their FAQ in the CVE
entry.. and the more people publically ask for clarification, the more
likely is that they will consider this.
Regards
jan
|