LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

August 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS August 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Apache version and CVE-2006-3747
From:	Jan Iven <[log in to unmask]>
Reply To:	Jan Iven <[log in to unmask]>
Date:	Thu, 3 Aug 2006 13:03:44 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (59 lines)

On Thu, 2006-08-03 at 10:50 +0100, Alan J. Flavell wrote:
> We had a campus alert about the above-mentioned vulnerability 
> CVE-2006-3747, saying that it was already being exploited in the wild.
> 
> I went on a rather confusing trail on this one.  Maybe I had been
> looking in the wrong places, but, just in case it might help others, 
> this is what I found.
> 
> (Our server's OS is anyway targetted to be updated soon, but for
> the moment it's still running SL303).

(doesn't matter, SL4 has a similar issue)

..
> But of course RH do not install new versions.  Rather, they back-port
> the fix to the version which came with the RHEL release version, and
> append a suffix to the RPM name (but not to the server banner).

(yes, we've griped about this but they don't want to change this).
 
> If I query rpm, then I get:
> 
>   httpd-2.0.46-56.ent
> 
> This is at least suggestive that it's associated with version
> 2.0.56 - *not* .59 as required.

No, this (AFAIK) has nothing to do with the apache release, it is just
the 59th version they have redone the package. As Jarek points out, what
actually got fixed is usually in the RPM changelog.

> After quite a bit of hunting around, I stumbled on this:
> 
> http://lwn.net/Articles/193340/
> 
> which basically says RH had looked at the problem and did not
> consider their server to be vulnerable - consequently they did
> not intend to distribute an update.
> 
> However, one of the followups is hinting that they might have
> misunderstood how this vulnerability works.
> 
> It does, however, leave open the more general question of how RH 
> should be informing the world about their response to security 
> advisories which are on the public record, but for which their version 
> has been rated as safe. At the moment they seem to be staying quiet, 
> which may be at least one excuse that I can give for the commotion 
> here.

They preemptively informed their customers that they considered
themselves (and anybody who compiles their apache using their compilers)
not to be vulnerable to this particular issue (they'll still fix it as a
bug). We could still ask them to include a link to their FAQ in the CVE
entry.. and the more people publically ask for clarification, the more
likely is that they will consider this.

Regards
jan

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV