From owner-freebsd-security  Thu Jun 20 13:18:40 2002
Delivered-To: freebsd-security@freebsd.org
Received: from hellfire.hexdump.org (h006097e24f05.ne.client2.attbi.com [24.62.157.118])
	by hub.freebsd.org (Postfix) with ESMTP id ED51C37B40F
	for <freebsd-security@FreeBSD.ORG>; Thu, 20 Jun 2002 13:18:26 -0700 (PDT)
Received: from hellfire.hexdump.org (localhost [127.0.0.1])
	by hellfire.hexdump.org (8.12.2/8.12.2) with ESMTP id g5KKPU1T077021;
	Thu, 20 Jun 2002 16:25:30 -0400 (EDT)
	(envelope-from freebsd@hexdump.org)
Received: from localhost (freebsd@localhost)
	by hellfire.hexdump.org (8.12.2/8.12.2/Submit) with ESMTP id g5KKPT0p077018;
	Thu, 20 Jun 2002 16:25:30 -0400 (EDT)
Date: Thu, 20 Jun 2002 16:25:29 -0400 (EDT)
From: Jeff Gentry <freebsd@hexdump.org>
To: "David G . Andersen" <danderse@cs.utah.edu>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Apache root exploitable?
In-Reply-To: <20020620134143.C14099@cs.utah.edu>
Message-ID: <20020620162448.V77014-100000@hellfire.hexdump.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

>   It's not _root_ exploitable unless you run Apache as root.
>   If you do that, you're asking for it anyway.

Nope :)  While I mind DoS exploits, having ppl finding their way into my
system is even more bothersome, especially if there is no workaround
available, but ...

>   Upgrade to 1.3.26 or 2.0.39.

Gotcha.  Thanks.

-J


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message