On Thursday, June 20, 2002, at 09:04 AM, Alan Rouse wrote:

>> So, why should they bring out a fixed version, if there were not a
>> _potential_ exploit? Remote root will not be, because apache doesn't
> run
>> as root, but wwwrun might be. I don't see the point of this
> discussion.
>> There was a bug, there is a fix. SuSE did a great and fast job.
>
> SuSE did not claim to have fixed a remote root exploit. They claimed to
> have fixed a DDOS. They specifically stated that the bug they addressed
> could not be used to inject code and gain access to the machine. That
> doesn't make me very confident that their patch addresses the newly
> disclosed problem (which specifically DOES inject code and gain access
> to the machine).

The DoS is caused by a buffer overflow that kills the child process,
forcing the parent httpd process to spawn a new child. This spawing
requires resources, which is your DoS. According to what I've read,
that buffer overflow is the same one that some are now using to gain
root access. So if the overflow is fixed, the DoS and remote root are
fixed.

--Jeremy

-- 
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]