--- Roger Peña orkcu@yahoo.com wrote:
--- Johnny Hughes mailing-lists@hughesjr.com wrote:
On Fri, 2007-03-02 at 09:39 -0800, Roger Peña
wrote:
--- Roger Peña orkcu@yahoo.com wrote:
As this bugtrack say "binaries from redhat"
are
not
vulnerables but what happen to recompilations?
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200219
I understand that it is the compilation
process
what
make this bug not exploitable and not the
source
code so, the question is: is the httpd binary from centos exploitable?
I could not find any refence in the web about
this
topic. maybe I should ask in the centos-user mailling
list
but because it is a compilation thing ..... I
guess
centos developer are the right to anwser
sorry, I forgot to mention that I do test the following "proof of concept" test:
http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
and httpd-2.0.52-28.ent.centos4 give the "302
Found"
page so at least with that test I could not
probe
if
it is vulnerable or not
If it did do a "302 Found" ... then it is not vulnerable:
from the article:
"If your web server doesn't reply you with a '302 Found' page or a Segmentation Fault appears in your error_log, an apache child has crashed and your web server is vulnerable and exploitable."
So a 302 found is good.
yes, I know it is good
but can't see why this is a sufficient condition to say "not vulnerable" of course, what I can see is that if I got another page or make a fault then I can say "it is vulnerable"
but, I am not saying that centos binary are vulnerables!!! just that I can't find an explanation to say "not vulnerable" because uptreams is not.
also, I could not had the time yet to verify what is the the following fix to mod_rewrite:
- Tue Jun 20 2006 Joe Orton jorton@redhat.com
2.0.52-26.ent
- add mod_rewrite ldap scheme handling fix
does anybody know if this is the source code fix to this vulnerability (back ported)? the date of this fix is before the date of the redhat bugtrack and before the CVS assignation (20060720) so it looks not related but I could be wrong...
well, it looks like a patch to the vulnerability, without see the source code yet, from the release changelog for httpd-2.0.59:
Changes with Apache 2.0.59
*) SECURITY: CVE-2006-3747 (cve.mitre.org) mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. Reported by Mark Dowd of McAfee. [Mark Cox]
I guess Joe Orton from redhat release a patch a month before public disclosure of the vulnerability or just make a mistake (typo) when write the redhat httpd changelog ;-)
so, right now I can "rest in peace" knowing that centos is not vulnerable because it has the fix (until somebody say the contrary :-) ) ;-)
thanks anyway johnny I was in a hurry tracking down this for a client
cu roger
__________________________________________ RedHat Certified Engineer ( RHCE ) Cisco Certified Network Associate ( CCNA )
____________________________________________________________________________________ Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index
-
Roger Peña