-----BEGIN PGP SIGNED MESSAGE----- Just to clarify this a bit further, the mod_dav module for Apache is not vulnerable to the format string vulnerability (as outlined in the original advisory from SCO, CAN-2002-0842) mod_dav contains code that logs various errors and uses ap_log_rerror() to do so. In mod_dav for Apache, ap_log_rerror is never called with strings that can be influenced by a remote user. Now Oracle added code to their version of mod_dav to log gateway errors, but gateway errors contain strings that can be controlled by a remote user. Therefore Oracle was vulnerable to a format string issue, but no base release of Apache with mod_dav was vulnerable. We did some research this morning after SCO released their advisory. According to their ftp site SCO shipped OpenLinux with a standard copy of mod_dav which was not vulnerable to this format string issue. Their advisory, CSSA-2003-007.0 referenced new packages where they added a patch which, unfortunately, added in code to log of gateway errors and contained a format string vulnerability. Thanks, Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQCVAwUBPlKFj+6tTP1JpWPZAQE6awQA43RYlKHCZME4KszH/zDOMbuTeTUybvaW GWP88jowg0+JtVDl+D7JFGFxdgrrxBD/sWTPRV361l3TKUYXnXcuDIW2OnWdWRtq 4zulMANv1kFs/mqRPz1naJ+hZPaVrYKVxSv2mhDz4fjohsBjUVlNOuaoosONl0se lWS9MFQTRaI= =mhD7 -----END PGP SIGNATURE-----
