Re: Apache 2.0.54 exploit

From: John Peacock <jpeacock_at_rowman.com>
Date: 2005-07-12 12:29:17 CEST

Ben Reser wrote:
> Hmm yes we do recommend it in our INSTALL docs but as far as I can tell
> Apache hasn't even released anything newer than 2.0.54. So I'm a bit
> perplexed as to how 2.0.55 can be vulnerable or what we should update
> our docs to say.

A) Apache.org hasn't released 2.0.55 yet (but probably RSN). The fix is
available in 2.1.6 and in the Subversion repository for 2.0.x.

B) It's a pretty obscure exploit, because it requires the use of two servers:
one acting as a proxy which can be tricked into sending a malformed request to
the other [target] server.

From what I've read, I think there is nothing to see here that currently
affects Subversion itself...

John

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Tue Jul 12 12:29:42 2005

This message: [ Message body ]
Next message: Marcus Rueckert: "Re: A proposed solution for svn admin directory names"
Previous message: nick vajberg: "RE: [PATCH] Fix svnserve not accepting IPV4 connections on an IPV6 socket?"
In reply to: Ben Reser: "Re: Apache 2.0.54 exploit"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]