Re: Remote count.cgi exploit mods

[flaps () DGP TORONTO EDU (Alan J Rosenthal)]

> If the version is 2.4, then it is patched for this bug. Anything
> below that is vulnerable. (2.4 is the latest version)

Not quite... at least, I hope not, and if the above is not wrong in the
following sense then a lot of people would like to know.

A distribution I myself called "2.3.new" for lack of a better name (as the
distribution file itself was confusingly called 2.3) contains the following
appendix in the top-level README:

        quick security fix. i'm keeping the version 2.3, because changing it
        requires changing many things. I don't have time!

        ma_muquit () fccc edu
        Oct-14-1997

and the 2.4 release seems to be dated 20 Oct, and the "what's new" section of
the 2.4 release contains the line "Includes the Buffer Overflow security fix".

I assume that this refers to the security fix contained in this temporary
security fix version.  If not, I'd sure like to know.

Since the two dates are only six days apart, probably most people out there on
the net are either vulnerable or have version 2.4.  However, a large number of
the readers of this list may have put the security fix version in place in the
interim.

So, do we have to upgrade to 2.4 if we have the security fix version?

regards,
ajr