David Eisenstein wrote:
On Thu, 11 May 2006, Jim Popovitch wrote:
In another arena I saw a list of CVEs against Apache 1.3.7. RH73 ships
with Apache 1.3.7-9 so I thought I would query BZ and see what I could
find of these. (I am a BZ newbie when it comes to queries).
CVE-2002-1233 Apache HTTP Server htpasswd and htdigest Multiple
Vulnerabilities
CVE-2004-0748, CVE-2004-0751 Apache HTTP Server mod_ssl Denial of Service
CVE-2003-0083, CVE-2003-0020 Linux/Unix: Apache Escape Sequence
Vulnerabilities
CVE-2003-0993 Apache mod_access Security Bypass
CVE-2004-0700 Apache mod_ssl Format String Vulnerability
Unfortunately I couldn't find any of those in the Comments under Apache
for Fedora Legacy Redhat 7.3. I can't believe that all of those
aren't addressed, so lack of query results suggests to me that I am
missing something. Some of those CVE/CANs are several years old, but
wouldn't the still be in BZ comments somewhere?
It appears that Red Hat Linux 7.3 shipped with apache-1.3.23-11... I
don't know what shipped with apache-1.3.7 ... From Fedora Legacy's
archives, RHL 7.3's apache was shipped on 16-Apr-2002.
The latest update for Red Hat 7.3's apache appears to have been released
by the Fedora Legacy project on 18-Feb-2006 and is apache-1.3.27-9.legacy.
Thank you David for the insight as well as the ground work on going
through all of those. It wasn't my intention to have you or someone
else do that, but I do appreciate your doing so. Apologies for
specifying apache-1.3.7, that was a copy/paste error, I meant
apache-1.3.27.
Again, Thank you for digging through all of that.
-Jim P.