--- Roger Peña <orkcu at yahoo.com> wrote: > > --- Johnny Hughes <mailing-lists at hughesjr.com> > wrote: > > > On Fri, 2007-03-02 at 09:39 -0800, Roger Peña > wrote: > > > --- Roger Peña <orkcu at yahoo.com> wrote: > > > > > > > As this bugtrack say "binaries from redhat" > are > > not > > > > vulnerables but what happen to recompilations? > > > > > > > > > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200219 > > > > > > > > I understand that it is the compilation > process > > what > > > > make this bug not exploitable and not the > source > > > > code > > > > so, the question is: > > > > is the httpd binary from centos exploitable? > > > > > > > > > > > > I could not find any refence in the web about > > this > > > > topic. > > > > maybe I should ask in the centos-user mailling > > list > > > > but because it is a compilation thing ..... I > > guess > > > > centos developer are the right to anwser > > > > > > > sorry, I forgot to mention that I do test the > > > following "proof of concept" test: > > > > > > > > > http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded > > > > > > and httpd-2.0.52-28.ent.centos4 give the "302 > > Found" > > > page so at least with that test I could not > probe > > if > > > it is vulnerable or not > > > > > > > If it did do a "302 Found" ... then it is not > > vulnerable: > > > > from the article: > > > > "If your web server doesn't reply you with a '302 > > Found' page or a > > Segmentation Fault appears in your error_log, an > > apache child has > > crashed and your web server is vulnerable and > > exploitable." > > > > So a 302 found is good. > > > yes, I know it is good > > but can't see why this is a sufficient condition to > say "not vulnerable" > of course, what I can see is that if I got another > page or make a fault then I can say "it is > vulnerable" > > but, I am not saying that centos binary are > vulnerables!!! just that I can't find an explanation > to say "not vulnerable" because uptreams is not. > > also, I could not had the time yet to verify what is > the the following fix to mod_rewrite: > > * Tue Jun 20 2006 Joe Orton <jorton at redhat.com> > 2.0.52-26.ent > > - add mod_rewrite ldap scheme handling fix > > does anybody know if this is the source code fix to > this vulnerability (back ported)? > the date of this fix is before the date of the > redhat > bugtrack and before the CVS assignation (20060720) > so it looks not related but I could be wrong... well, it looks like a patch to the vulnerability, without see the source code yet, from the release changelog for httpd-2.0.59: Changes with Apache 2.0.59 *) SECURITY: CVE-2006-3747 (cve.mitre.org) mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. Reported by Mark Dowd of McAfee. [Mark Cox] I guess Joe Orton from redhat release a patch a month before public disclosure of the vulnerability or just make a mistake (typo) when write the redhat httpd changelog ;-) so, right now I can "rest in peace" knowing that centos is not vulnerable because it has the fix (until somebody say the contrary :-) ) ;-) thanks anyway johnny I was in a hurry tracking down this for a client cu roger __________________________________________ RedHat Certified Engineer ( RHCE ) Cisco Certified Network Associate ( CCNA ) ____________________________________________________________________________________ Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index