httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40322] New: - mod_rewrite vulnerability of Apache 1.3.33 appears in 1.3.37 also
Date Fri, 25 Aug 2006 12:32:52 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40322>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40322

           Summary: mod_rewrite vulnerability of Apache 1.3.33 appears in
                    1.3.37 also
           Product: Apache httpd-1.3
           Version: HEAD
          Platform: DEC
        OS/Version: OSF/1
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_rewrite
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: laxmiharikumar@yahoo.com


Hi,

With Apache 1.3.33, the vulnerability (CVE-2006-3747 - : An off-by-one security
problem in the ldap scheme handling. For some RewriteRules this could lead to a
pointer being written out of bounds.) with Rewrite rules was seen on Linux and
DEC OSF/1.

I built Apache 1.3.37 from sources for these two platforms and am again seeing
the same vulnerable behaviour (A window pops up - "An external application must
be launched to handle ldap: links. Request link").

Why is this so?

Thanks
Laxmi

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message