From owner-freebsd-security  Mon Jun 17 22:51: 2 2002
Delivered-To: freebsd-security@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP id 58CCE37B409
	for <security@FreeBSD.ORG>; Mon, 17 Jun 2002 22:50:57 -0700 (PDT)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	by apollo.backplane.com (8.12.3/8.12.3) with ESMTP id g5I5ouCV052136;
	Mon, 17 Jun 2002 22:50:56 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.12.3/8.12.3/Submit) id g5I5ouhA052135;
	Mon, 17 Jun 2002 22:50:56 -0700 (PDT)
	(envelope-from dillon)
Date: Mon, 17 Jun 2002 22:50:56 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200206180550.g5I5ouhA052135@apollo.backplane.com>
To: Brett Glass <brett@lariat.org>
Cc: security@FreeBSD.ORG
Subject: Re: CDs with patched Apache?
References:  <200206180539.XAA26264@lariat.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


:As many folks are already aware, the version of Apache that's included in the
:FreeBSD ports and packages is subject to a buffer overflow which (at best) can
:cause a DoS and (at worst) can be used as a remote root exploit. The authors
:of the advisory from apache.org say that they believe 32-bit Unices can only
:be DoSed (see http://www.cert.org/advisories/CA-2002-17.html). But given the
:cleverness of skript creators, and the large number of potential target
:systems (Apache drives more than half the Web servers on the Net), we can't be
:100% sure that someone won't find a clever way to smash the stack and root
:FreeBSD systems running vulnerable versions of Apache.
:
:Since Apache is one of the most commonly installed ports, disc vendors should
:strongly consider mastering their discs with a patched Apache. What's the
:status of the CDs and DVDs from various vendors? Will it be possible for them
:to "stop press" and do this?
:
:--Brett Glass

    I don't think having the CD vendors hold up the release can be justified.  
    Certainly the timing is bad.. it would have been nice to get the new
    Apache in, but security issues pop up all the time and I really doubt
    that most commercial users of FreeBSD actually install Apache from the
    CD.  I don't know, of course, but that's my feeling.

    (I am far more worried about the ATA CDRom driver problems that are
    preventing a lot of people from installing the release.  That might
    be sufficient to roll new ISOs if the problem can be fixed quickly,
    but I think it is too late even for something like that and if it
    is too late for that it is certainly too late to roll new ISOs to
    get a newer Apache).

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message