From: Holger.VanKoll@SWISSCOM.COM
Date: Tue Jun 18 2002 - 08:14:47 EDT
IBM is sometimes a bit slow in responding to security issues.
You can be quite sure you are vulnerable. IBM does not touch the core of apache; so HTTPServer is probably vulnerable, too.
All you can do now is
1) ensure the httpd childs dont run as root
2) have the latest fixes installed. this prevents to get root from a www/nobody - user that was compromised
I would not worry that much... exploiting an aix-security-hole is quite difficult and there is not that much information around (compared to linux/*BSD etc.)
-----Original Message-----
From: Stamper, Steve [mailto:sstamper@FOREMOST.COM]
Sent: Dienstag, 18. Juni 2002 13:38
To: aix-l@Princeton.EDU
Subject: CERT Advisory and HTTPServer
Do to some application requirements, we must run IBM HTTPServer ( http://www-3.ibm.com/software/webservers/httpservers/) on some of our AIX systems. CERT has just released a vulnerability ( http://httpd.apache.org/info/security_bulletin_20020617.txt for Apache - which HTTPServer is based upon. I have been to IBM's site and they make no mention of HTTPServer having this vulnerability. Does anyone know where/how I can research?
**Disclaimer**
This memo and any attachments may be confidential and legally privileged.
If you are not the intended recipient and have received this in error,
kindly destroy this message and notify the sender.
Thank you for your assistance.
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:16:00 EDT