On Sat, Nov 01, 2003 at 07:49:30PM -0500, Phillip Hofmeister wrote:
If you are really looking for assurance than 'rm -rf /' would not affect
your day because weekly full backups and nightly incremental should be
made. If you don't have valid off system, perhaps off-site backups,
then what
On Sat, Nov 01, 2003 at 07:49:30PM -0500, Phillip Hofmeister wrote:
If you are really looking for assurance than 'rm -rf /' would not affect
your day because weekly full backups and nightly incremental should be
made. If you don't have valid off system, perhaps off-site backups,
then what
On Fri, Oct 31, 2003 at 06:06:15PM +0100, Roman Medina wrote:
My opinion is that if a security bug is discovered it should be fixed
ASAP. It's really simple. The argument: We believe that there is no
security update required because intentionally exploiting this
vulnerability requires access
Ups, my apologies. You're completely right. I meant remote access with
apache user rights.
-R
On Saturday, 2003-11-01 at 11:03:16 +0100, [EMAIL PROTECTED] wrote:
- the bug is quite serious (local root, at minimun)
I wonder how a user would obtain root priviledges by overrunning an
Apache
On Sat, Nov 01, 2003 at 11:03:16AM +0100, [EMAIL PROTECTED] wrote:
For example, people sometimes file bugs about buffer overflows in
simple programs (which run with no privileges and do not act on any
untrusted input) just because they are buffer overflows, a type of bug
which is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, 01 Nov 2003 at 05:15:34PM -0500, Adam ENDRODI wrote:
I tend to disagree, I'm afraid. The presence of remotely
exploitable bugs in user applications (be it a client of some
networked game, or a PDF viewer) impose a great risk on the user,
Ups, my apologies. You're completely right. I meant remote access with
apache user rights.
-R
On Saturday, 2003-11-01 at 11:03:16 +0100, [EMAIL PROTECTED] wrote:
- the bug is quite serious (local root, at minimun)
I wonder how a user would obtain root priviledges by overrunning an
Apache
On Sat, Nov 01, 2003 at 11:03:16AM +0100, [EMAIL PROTECTED] wrote:
For example, people sometimes file bugs about buffer overflows in
simple programs (which run with no privileges and do not act on any
untrusted input) just because they are buffer overflows, a type of bug
which is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Sat, 01 Nov 2003 at 05:15:34PM -0500, Adam ENDRODI wrote:
I tend to disagree, I'm afraid. The presence of remotely
exploitable bugs in user applications (be it a client of some
networked game, or a PDF viewer) impose a great risk on the user,
On Fri, Oct 31, 2003 at 06:06:15PM +0100, Roman Medina wrote:
My opinion is that if a security bug is discovered it should be fixed
ASAP. It's really simple. The argument: We believe that there is no
security update required because intentionally exploiting this
vulnerability requires access
Quoting Phillip Hofmeister [EMAIL PROTECTED]:
I believe your justification can be found:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=218188
I'm not saying I agree fully with it...but I do understand it...
Given that some of the affected directives can be used in .htaccess
files, the
On Fri, Oct 31, 2003 at 09:07:57PM +0900, Hideki Yamane wrote:
I checked woody's apache source and I cannot find any patches
for mod_alias.c in apache-1.3.26/debian/patches directory.
So I guess debian's apache is effected by this vulnerability.
Do I misunderstand this? Does apache
Hey, morons, don't drop people from the CC. Otherwise they'll never
know what you're saying.
On Fri, Oct 31, 2003 at 03:07:26PM +0100, Lupe Christoph wrote:
Quoting Phillip Hofmeister [EMAIL PROTECTED]:
I believe your justification can be found:
Sorry, I missunderstood your answer. I thought you were redirecting me
to the other ml. I've also read the answer sent by Matthew Wilcox
[EMAIL PROTECTED] to this same thread (amongst other related messages
and likes).
My opinion is that if a security bug is discovered it should be fixed
ASAP.
Please respect my Mail-Followup-To header and the Debian mailing list
guidelines, and do not CC me on replies.
On Fri, Oct 31, 2003 at 06:06:15PM +0100, Roman Medina wrote:
My opinion is that if a security bug is discovered it should be fixed
ASAP. It's really simple. The argument: We believe
Hi,
Do you know about apache security issue?
Yes. According to the Apache maintainers, woody does not require an update.
Really? mod_alias is so much old(*), I think all of apache
would be effected by this vulnerability.
Ask [EMAIL PROTECTED]
I checked woody's apache source and
Quoting Phillip Hofmeister [EMAIL PROTECTED]:
I believe your justification can be found:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=218188
I'm not saying I agree fully with it...but I do understand it...
Given that some of the affected directives can be used in .htaccess
files, the
On Fri, Oct 31, 2003 at 09:07:57PM +0900, Hideki Yamane wrote:
I checked woody's apache source and I cannot find any patches
for mod_alias.c in apache-1.3.26/debian/patches directory.
So I guess debian's apache is effected by this vulnerability.
Do I misunderstand this? Does apache
Hey, morons, don't drop people from the CC. Otherwise they'll never
know what you're saying.
On Fri, Oct 31, 2003 at 03:07:26PM +0100, Lupe Christoph wrote:
Quoting Phillip Hofmeister [EMAIL PROTECTED]:
I believe your justification can be found:
Sorry, I missunderstood your answer. I thought you were redirecting me
to the other ml. I've also read the answer sent by Matthew Wilcox
[EMAIL PROTECTED] to this same thread (amongst other related messages
and likes).
My opinion is that if a security bug is discovered it should be fixed
ASAP.
Please respect my Mail-Followup-To header and the Debian mailing list
guidelines, and do not CC me on replies.
On Fri, Oct 31, 2003 at 06:06:15PM +0100, Roman Medina wrote:
My opinion is that if a security bug is discovered it should be fixed
ASAP. It's really simple. The argument: We believe
thanks to your reply.
Do you know about apache security issue?
Yes. According to the Apache maintainers, woody does not require an update.
Really? mod_alias is so much old(*), I think all of apache
would be effected by this vulnerability.
* Revision: 1.17, Tue Jul 8 03:45:28 1997 UTC
On Thu, Oct 30, 2003 at 12:12:27AM +0900, Hideki Yamane wrote:
Do you know about apache security issue?
Yes. According to the Apache maintainers, woody does not require an update.
--
- mdz
thanks to your reply.
Do you know about apache security issue?
Yes. According to the Apache maintainers, woody does not require an update.
Really? mod_alias is so much old(*), I think all of apache
would be effected by this vulnerability.
* Revision: 1.17, Tue Jul 8 03:45:28 1997 UTC
On Thu, Oct 30, 2003 at 05:03:36PM +0900, Hideki Yamane wrote:
Do you know about apache security issue?
Yes. According to the Apache maintainers, woody does not require an update.
Really? mod_alias is so much old(*), I think all of apache
would be effected by this vulnerability.
On Thu, 30 Oct 2003 12:21:09 -0500, you wrote:
On Thu, Oct 30, 2003 at 05:49:34PM +0100, [EMAIL PROTECTED] wrote:
It's a Woody 3.0 up-to-date machine. Are you sure Apache shipped on Debian
is actually secure? These segfaults scare me... it smells like
0day-exploit...
[...]
Ask [EMAIL
On Thu, Oct 30, 2003 at 07:58:50PM +0100, Roman Medina wrote:
On Thu, 30 Oct 2003 12:21:09 -0500, you wrote:
Ask [EMAIL PROTECTED]
See above.
I'm not subscribed to debian-apache neither I'm going to subscribe only
to ask this. If this is a security issue in Debian, why not to discuss
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 30 Oct 2003 at 01:59:01PM -0500, Roman Medina wrote:
I'm not subscribed to debian-apache neither I'm going to subscribe
only to ask this. If this is a security issue in Debian, why not to
discuss it in a Debian security ml? I repeat it: I
Hi list,
Do you know about apache security issue?
apache 1.3.29 release announcement is here.
http://www.apache.org/dist/httpd/Announcement.txt
this apache 1.3 release includes security fix.
Apache 1.3.29 Major changes
Security vulnerabilities
* CAN-2003-0542
Cc: [EMAIL PROTECTED]
Package: apache
Version: 1.3.26-0woody3
Tags: security
Severity: grave
I have checked th full bug list also. It does not appear a bug has
been filed yet. Therefore I have filed a bug with this email. If you
have anything additional to add please wait until it shows up on
On Thu, Oct 30, 2003 at 12:12:27AM +0900, Hideki Yamane wrote:
Do you know about apache security issue?
Yes. According to the Apache maintainers, woody does not require an update.
--
- mdz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
Hi list,
Do you know about apache security issue?
apache 1.3.29 release announcement is here.
http://www.apache.org/dist/httpd/Announcement.txt
this apache 1.3 release includes security fix.
Apache 1.3.29 Major changes
Security vulnerabilities
* CAN-2003-0542
Cc: [EMAIL PROTECTED]
Package: apache
Version: 1.3.26-0woody3
Tags: security
Severity: grave
I have checked th full bug list also. It does not appear a bug has
been filed yet. Therefore I have filed a bug with this email. If you
have anything additional to add please wait until it shows up on
33 matches
Mail list logo