Date: Mon, 17 Jun 2002 22:50:56 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: CDs with patched Apache? Message-ID: <200206180550.g5I5ouhA052135@apollo.backplane.com> References: <200206180539.XAA26264@lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
:As many folks are already aware, the version of Apache that's included in the :FreeBSD ports and packages is subject to a buffer overflow which (at best) can :cause a DoS and (at worst) can be used as a remote root exploit. The authors :of the advisory from apache.org say that they believe 32-bit Unices can only :be DoSed (see http://www.cert.org/advisories/CA-2002-17.html). But given the :cleverness of skript creators, and the large number of potential target :systems (Apache drives more than half the Web servers on the Net), we can't be :100% sure that someone won't find a clever way to smash the stack and root :FreeBSD systems running vulnerable versions of Apache. : :Since Apache is one of the most commonly installed ports, disc vendors should :strongly consider mastering their discs with a patched Apache. What's the :status of the CDs and DVDs from various vendors? Will it be possible for them :to "stop press" and do this? : :--Brett Glass I don't think having the CD vendors hold up the release can be justified. Certainly the timing is bad.. it would have been nice to get the new Apache in, but security issues pop up all the time and I really doubt that most commercial users of FreeBSD actually install Apache from the CD. I don't know, of course, but that's my feeling. (I am far more worried about the ATA CDRom driver problems that are preventing a lot of people from installing the release. That might be sufficient to roll new ISOs if the problem can be fixed quickly, but I think it is too late even for something like that and if it is too late for that it is certainly too late to roll new ISOs to get a newer Apache). -Matt Matthew Dillon <dillon@backplane.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206180550.g5I5ouhA052135>