lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5.2.0.9.2.20030218131335.02f028b0@pop3.rowe-clan.net>
From: wrowe at rowe-clan.net (William A. Rowe, Jr.)
Subject: Re: CSSA-2003-007.0 Advisory withdrawn.  Re: Security Update:
 [CSSA-2003-007.0] Linux: Apache mod_dav module format string
 vulnerability

At 12:44 PM 2/18/2003, security@...dera.com wrote:

>This update contained a vulnerable version of the mod_dav module. The
>update has been withdrawn, and is no longer available.

It should be pointed out that the mod_dav vulnerability cited is not
a vulnerability present in any publicly and officially distributed releases 
of Apache 2.0.x, <http://httpd.apache.org/>.

I found the original statement in Msg <20030217134528.S10617@....com>

<quote>
   1. Problem Description
        The Apache mod_dav module contains a format string vulnerability
        in the "ap_log_rerror()" function.
</quote>

to be altogether misleading.  Under the terms of the Apache Software
Foundation License rev. 1.1, I ask that Caldera properly identify the 
unmodified software as they wish, but provide the appropriate clarifications 
whenever vendor modifications (esp. security holes) have been introduced, 
to avoid panicking the general community of Apache users.

Bill 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ