[VIM] Apache version question/discrepancy?
security curmudgeon
jericho at attrition.org
Thu Nov 16 21:40:28 EST 2006
http://httpd.apache.org/security/vulnerabilities_13.html
Fixed in Apache httpd 1.3.37
important: mod_rewrite off-by-one error CVE-2006-3747
Affects: 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28
http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0674.html
[Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released
This version of Apache is principally a bug and security fix release. The
following potential security flaws are addressed;
CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
and 2.2 since 2.2.0.
http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html
* Vulnerable Systems
Apache 1.3.29/mod_rewrite
http://archives.neohapsis.com/archives/bugtraq/2006-08/0398.html
Any version of the Apache HTTP server:
* 1.3 branch: >1.3.28 and <1.3.37
--
The web page suggests that the vulnerability is "fixed in 1.3.37" which
would imply 1.3.35 and 1.3.36 are vulnerable, but the affected list does
not specify that.
The announcement posted to various lists seems to confirm the CVE analysis
which says "since 1.3.28" but doesn't specify the version that fixes it.
So, for clarity, are 1.3.35 and 1.3.36 affected by this issue?
More information about the VIM
mailing list