[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] Question about SUSE-SA:2008:021



Marcus,
Thanks for clarifying it for me.

Have a great day,
Jeff


Marcus Meissner said the following on 6/3/08 2:17 AM:
On Mon, Jun 02, 2008 at 02:47:08PM -0400, Jeff VanDeRyt wrote:
Hi,
I have a question about the security updates for Apache 2 which are detailed in SUSE-SA:2008:021, and how it relates to SLES 9 and OES on SLES9.

The Security Announcement lists 7 CVE numbers and includes links to updates for updates to Apache and Apache 2 on SLES9 (http://support.novell.com/techcenter/psdb/484f33da03a9e3e4632f40254c4a96a3.html and http://support.novell.com/techcenter/psdb/2c87b234552522821a81df2a63d03f8c.html). However, these pages do not list all 7 CVE numbers as being addressed. Specifically the Apache 2 page does not include CVE-2007-6421 and CVE-2007-6422 (both listed as affecting Apache 2 only).

Does this mean Apache 2 on SLES 9 is not affected by CVE-2007-6421 and CVE-2007-6422?

Hi,

CVE-2007-6421 and CVE-2007-6422 only affects the Apache 2.2 series,
while SLES 9 has Apache 2.0.59.

See:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6421 and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6422

(mod_proxy_balancer is new in Apache2 2.2.)

Tangentially related, what about CVE-2007-6420 and 2007-6423? They are included in original SecruityAlert from SecurityReason (http://securityreason.com/securityalert/48) which included CVE-2007-6421 and CVE-2007-6422.

CVE-2007-6420 has not been fixed by upstream at the time of this update,
we reminded them of it however.

CVE-2007-6423 only affects Apache on Windows (see original report and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6423 ).

Ciao, Marcus


---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx