--- Roger Peņa <orkcu yahoo.com> wrote:
>
> --- Johnny Hughes <mailing-listshughesjr.com>
> wrote:
>
> > On Fri, 2007-03-02 at 09:39 -0800, Roger Peņa
> wrote:
> > > --- Roger Peņa <orkcuyahoo.com> wrote:
> > >
> > > > As this bugtrack say "binaries from
redhat"
> are
> > not
> > > > vulnerables but what happen to
recompilations?
> > > >
> > >
> >
>
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=
200219
> > > >
> > > > I understand that it is the compilation
> process
> > what
> > > > make this bug not exploitable and not
the
> source
> > > > code
> > > > so, the question is:
> > > > is the httpd binary from centos
exploitable?
> > > >
> > > >
> > > > I could not find any refence in the web
about
> > this
> > > > topic.
> > > > maybe I should ask in the centos-user
mailling
> > list
> > > > but because it is a compilation thing
..... I
> > guess
> > > > centos developer are the right to anwser
> > > >
> > > sorry, I forgot to mention that I do test
the
> > > following "proof of concept" test:
> > >
> > >
> >
>
http://www.securityfocus.com/archive/1/arc
hive/1/443870/100/0/threaded
> > >
> > > and httpd-2.0.52-28.ent.centos4 give the
"302
> > Found"
> > > page so at least with that test I could not
> probe
> > if
> > > it is vulnerable or not
> > >
> >
> > If it did do a "302 Found" ... then it
is not
> > vulnerable:
> >
> > from the article:
> >
> > "If your web server doesn't reply you with a
'302
> > Found' page or a
> > Segmentation Fault appears in your error_log, an
> > apache child has
> > crashed and your web server is vulnerable and
> > exploitable."
> >
> > So a 302 found is good.
> >
> yes, I know it is good
>
> but can't see why this is a sufficient condition to
> say "not vulnerable"
> of course, what I can see is that if I got another
> page or make a fault then I can say "it is
> vulnerable"
>
> but, I am not saying that centos binary are
> vulnerables!!! just that I can't find an explanation
> to say "not vulnerable" because uptreams is
not.
>
> also, I could not had the time yet to verify what is
> the the following fix to mod_rewrite:
>
> * Tue Jun 20 2006 Joe Orton <jortonredhat.com>
> 2.0.52-26.ent
>
> - add mod_rewrite ldap scheme handling fix
>
> does anybody know if this is the source code fix to
> this vulnerability (back ported)?
> the date of this fix is before the date of the
> redhat
> bugtrack and before the CVS assignation (20060720)
> so it looks not related but I could be wrong...
well, it looks like a patch to the vulnerability,
without see the source code yet, from the release
changelog for httpd-2.0.59:
Changes with Apache 2.0.59
*) SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem
in the ldap scheme
handling. For some RewriteRules this could lead
to a pointer being
written out of bounds. Reported by Mark Dowd of
McAfee.
[Mark Cox]
I guess Joe Orton from redhat release a patch a month
before public disclosure of the vulnerability or just
make a mistake (typo) when write the redhat httpd
changelog 
so, right now I can "rest in peace" knowing that
centos is not vulnerable because it has the fix (until
somebody say the contrary  )
thanks anyway johnny
I was in a hurry tracking down this for a client
cu
roger
__________________________________________
RedHat Certified Engineer ( RHCE )
Cisco Certified Network Associate ( CCNA )
____________________________________________________________
________________________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbu
siness.yahoo.com/r-index
_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel
|
