[Full-Disclosure] Re: CSSA-2003-007.0 Advisory withdrawn. Re: Security Update: [CSSA-2003-007.0] Linux: Apache mod_dav module format string vulnerability
William A. Rowe, Jr.
wrowe at rowe-clan.net
Tue Feb 18 19:22:22 GMT 2003
At 12:44 PM 2/18/2003, security at caldera.com wrote:
>This update contained a vulnerable version of the mod_dav module. The
>update has been withdrawn, and is no longer available.
It should be pointed out that the mod_dav vulnerability cited is not
a vulnerability present in any publicly and officially distributed releases
of Apache 2.0.x, <http://httpd.apache.org/>.
I found the original statement in Msg <20030217134528.S10617 at sco.com>
1. Problem Description
The Apache mod_dav module contains a format string vulnerability
in the "ap_log_rerror()" function.
to be altogether misleading. Under the terms of the Apache Software
Foundation License rev. 1.1, I ask that Caldera properly identify the
unmodified software as they wish, but provide the appropriate clarifications
whenever vendor modifications (esp. security holes) have been introduced,
to avoid panicking the general community of Apache users.
Full-Disclosure is hosted and sponsored by Secunia.