At 12:44 PM 2/18/2003, securityat_private wrote: >This update contained a vulnerable version of the mod_dav module. The >update has been withdrawn, and is no longer available. It should be pointed out that the mod_dav vulnerability cited is not a vulnerability present in any publicly and officially distributed releases of Apache 2.0.x, <http://httpd.apache.org/>. I found the original statement in Msg <20030217134528.S10617at_private> <quote> 1. Problem Description The Apache mod_dav module contains a format string vulnerability in the "ap_log_rerror()" function. </quote> to be altogether misleading. Under the terms of the Apache Software Foundation License rev. 1.1, I ask that Caldera properly identify the unmodified software as they wish, but provide the appropriate clarifications whenever vendor modifications (esp. security holes) have been introduced, to avoid panicking the general community of Apache users. Bill _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Tue Feb 18 2003 - 12:06:43 PST