[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] Question about SUSE-SA:2008:021



On Mon, Jun 02, 2008 at 02:47:08PM -0400, Jeff VanDeRyt wrote:
> Hi,
> I have a question about the security updates for Apache 2 which are 
> detailed in SUSE-SA:2008:021, and how it relates to SLES 9 and OES on SLES9.
> 
> The Security Announcement lists 7 CVE numbers and includes links to 
> updates for updates to Apache and Apache 2 on SLES9 
> (http://support.novell.com/techcenter/psdb/484f33da03a9e3e4632f40254c4a96a3.html 
>  and 
> http://support.novell.com/techcenter/psdb/2c87b234552522821a81df2a63d03f8c.html). 
>  However, these pages do not list all 7 CVE numbers as being addressed. 
>  Specifically the Apache 2 page does not include CVE-2007-6421 and 
> CVE-2007-6422 (both listed as affecting Apache 2 only).
> 
> Does this mean Apache 2 on SLES 9 is not affected by CVE-2007-6421 and 
> CVE-2007-6422?

Hi,

CVE-2007-6421 and CVE-2007-6422 only affects the Apache 2.2 series,
while SLES 9 has Apache 2.0.59.

See:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6421 and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6422

(mod_proxy_balancer is new in Apache2 2.2.)

> Tangentially related, what about CVE-2007-6420 and 2007-6423?  They are 
> included in original SecruityAlert from SecurityReason 
> (http://securityreason.com/securityalert/48) which included 
> CVE-2007-6421 and CVE-2007-6422.

CVE-2007-6420 has not been fixed by upstream at the time of this update,
we reminded them of it however.

CVE-2007-6423 only affects Apache on Windows (see original report and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6423 ).

Ciao, Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx