Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Alan Rouse (ARousen2bb.com)
Date: Thu Jun 20 2002 - 10:53:26 CDT
>> So either they are bluffing or the eploit does exist. I prefer not
>> assume the former. And I don't exactly consider these folks a
>> third party.
> you're right - this also confused me. I guess they are bluffing...
> So I tried it against different systems and it did'nt work.
The comments imply that there is a different exploit for each OS
(different "peculiarity" in each one makes it possible) and they only
released the one for OpenBSD.
Even Apache seems to have believed that it was not exploitable on 32 bit
*nix. They are recommending upgrading to 1.3.26, which they say
corrects the "core" problem. Hopefully they are right. Since the Linux
exploit has not been published it's hard to know whether this fixes the
problem... but if it is sufficient against the published OpenBSD exploit
then I guess we have to go with that.
However, I'm patching SuSE 7.0, 7.1, and 7.2. I guess I'm not going to
get exactly 1.3.26 from SuSE for these. So I'd really like some sort of
statement from SuSE indicating whether or not the potential remote root
issue on my system will be addressed by their patch.
-- To unsubscribe, e-mail: suse-security-unsubscribesuse.com For additional commands, e-mail: suse-security-helpsuse.com Security-related bug reports go to securitysuse.de, not here