> Anyway, I thought that when I'm sure it's an apache server > ("Server: Apache blabla") and it crashes then it must be > vulnerable. Is this always the case? This morning I received > a mail from some admin who I had mailed and he told me they > had already upgraded. Full server version: > "Server: Apache/1.3.24 (Unix) (Red-Hat/Linux) mod_ssl/2.8.8 > OpenSSL/0.9.6b mod_perl/1.26" > > So my question is: has redhat changed something in the bad- > chunked-encoding-detected-behavior in their backport or did > this guy just forget to restart apache? Indeed, Red Hat 7.2 carries Apache 1.3.22 and 7.3 has 1.3.23, and probably for compatibility reasons the upgraded RPM didn't upgrade Apache to 1.3.26, but simply patches the old version's chunked encoding -code. So in essence it's the old, vulnerable version of Apache with a patch. For instance, eEye's tool reports my patched RH7.2 server as "vulnerable", because it only checks the server string, it doesn't try to exploit the vulnerability. See Red Hat's advisory: http://rhn.redhat.com/errata/RHSA-2002-103.html Notice, on RH7.2, the upgrade from apache-1.3.22-2.i386.rpm (base system, or perhaps left from earlier upgrade) to apache-1.3.22-6.i386.rpm. The Apache version remains the same, but the RPM'd package version is upgraded. -- Toni Heinonen, Teleware Oy Wireless +358 (40) 836 1815 Telephone +358 (9) 3434 9123 toni.heinonenat_private www.teleware.fi
This archive was generated by hypermail 2b30 : Mon Jun 24 2002 - 19:32:01 PDT