| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mjc at apache.org (Mark J Cox) Subject: Re: CSSA-2003-007.0 Advisory withdrawn. -----BEGIN PGP SIGNED MESSAGE----- Just to clarify this a bit further, the mod_dav module for Apache is not vulnerable to the format string vulnerability (as outlined in the original advisory from SCO, CAN-2002-0842) mod_dav contains code that logs various errors and uses ap_log_rerror() to do so. In mod_dav for Apache, ap_log_rerror is never called with strings that can be influenced by a remote user. Now Oracle added code to their version of mod_dav to log gateway errors, but gateway errors contain strings that can be controlled by a remote user. Therefore Oracle was vulnerable to a format string issue, but no base release of Apache with mod_dav was vulnerable. We did some research this morning after SCO released their advisory. According to their ftp site SCO shipped OpenLinux with a standard copy of mod_dav which was not vulnerable to this format string issue. Their advisory, CSSA-2003-007.0 referenced new packages where they added a patch which, unfortunately, added in code to log of gateway errors and contained a format string vulnerability. Thanks, Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQCVAwUBPlKFj+6tTP1JpWPZAQE6awQA43RYlKHCZME4KszH/zDOMbuTeTUybvaW GWP88jowg0+JtVDl+D7JFGFxdgrrxBD/sWTPRV361l3TKUYXnXcuDIW2OnWdWRtq 4zulMANv1kFs/mqRPz1naJ+hZPaVrYKVxSv2mhDz4fjohsBjUVlNOuaoosONl0se lWS9MFQTRaI= =mhD7 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists