[H-GEN] apache updates (mime exploit)
Tony Nugent
tony at linuxworks.com.au
Thu Jun 20 03:07:42 EDT 2002
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
I guess most people have seen the security notices and updates for
apache, which is so widely used that just about every unix vendor
has issued updates for it. [1]
What suprises me (well, perhaps it shouldn't:) is that at exactly
the same time that this is happening, micro$oft are also issuing
updates for many of its products (iis, m$IE, outrage, m$office, etc)
to fix problems that appear to relate to exactly the same issue
(involving "chunked" encoding).
The conclusion that I'm inclined to make (from my viewpoint anyway)
is that (closed-source) m$II$ and (open-source) apache share a
common code base. Which should not be the case, and if it is then
m$ may have some questions to answer.
Perhaps I'm reading too much into this... both share their
functionality with RFC requirements, and it could be that in the
interpretation of the mime encoding according to the RFCs, neither
have taken into account the quirky and unusual nature of this
particular exploit.
Comments?
Cheers
Tony
[1] for more details, see:
http://www.iss.net/
http://www.auscert.org.au/
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list