netbsd-users: Re: apache and audit-packages

Subject: Re: apache and audit-packages
To: None <netbsd-users@NetBSD.org>
From: Matthias Scheler <tron@zhadum.de>
List: netbsd-users
Date: 04/07/2004 19:09:45

In article <20040404120933.GA10272@lb.tenfour>,
	Dick Davies <rasputnik@hellooperator.net> writes:
> I'm still getting daily warnings about
> 
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
> 
> from audit-packages for apache-1.3.29...

Me too.

> Is there a fix?

Apache 1.3.30 is supposed to fix that. But it wasn't release so far.

> I'm assuming this is the 'acls don't work on 64-bit platforms'
> error, ...

Name	 	CAN-2003-0020 (under review)
Description	Apache does not filter terminal escape sequences from its
		error logs, which could make it easier for attackers to insert
		those sequences into terminal emulators containing
		vulnerabilities related to escape sequences.

So unless you are using "cat" in a vulnerable (X11) terminal emulator you
are safe. If you are not sure and want to read your logfiles just
use "strings /path/to/log".

> ... but the URL given doesn't respond...

It works for me.

	Kind regards

-- 
Matthias Scheler                                  http://scheler.de/~matthias/