Full Disclosure mailing list archives

Re: CSSA-2003-007.0 Advisory withdrawn. Re: Security Update: [CSSA-2003-007.0] Linux: Apache mod_dav module format string vulnerability

From: "William A. Rowe, Jr." <wrowe () rowe-clan net>
Date: Tue, 18 Feb 2003 13:22:22 -0600

At 12:44 PM 2/18/2003, security () caldera com wrote:

This update contained a vulnerable version of the mod_dav module. The
update has been withdrawn, and is no longer available.


It should be pointed out that the mod_dav vulnerability cited is not
a vulnerability present in any publicly and officially distributed releases 
of Apache 2.0.x, <http://httpd.apache.org/>.

I found the original statement in Msg <20030217134528.S10617 () sco com>

<quote>
   1. Problem Description
        The Apache mod_dav module contains a format string vulnerability
        in the "ap_log_rerror()" function.
</quote>

to be altogether misleading.  Under the terms of the Apache Software
Foundation License rev. 1.1, I ask that Caldera properly identify the 
unmodified software as they wish, but provide the appropriate clarifications 
whenever vendor modifications (esp. security holes) have been introduced, 
to avoid panicking the general community of Apache users.

Bill 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

CSSA-2003-007.0 Advisory withdrawn. Re: Security Update: [CSSA-2003-007.0] Linux: Apache mod_dav module format string vulnerability security (Feb 18)
- Re: CSSA-2003-007.0 Advisory withdrawn. Re: Security Update: [CSSA-2003-007.0] Linux: Apache mod_dav module format string vulnerability William A. Rowe, Jr. (Feb 18)