[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Apache 2.0.54 exploit

From: John Peacock <jpeacock_at_rowman.com>
Date: 2005-07-12 12:29:17 CEST

Ben Reser wrote:
> Hmm yes we do recommend it in our INSTALL docs but as far as I can tell
> Apache hasn't even released anything newer than 2.0.54. So I'm a bit
> perplexed as to how 2.0.55 can be vulnerable or what we should update
> our docs to say.

A) Apache.org hasn't released 2.0.55 yet (but probably RSN). The fix is
available in 2.1.6 and in the Subversion repository for 2.0.x.

B) It's a pretty obscure exploit, because it requires the use of two servers:
one acting as a proxy which can be tricked into sending a malformed request to
the other [target] server.

 From what I've read, I think there is nothing to see here that currently
affects Subversion itself...

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jul 12 12:29:42 2005

This is an archived mail posted to the Subversion Dev mailing list.