07-08-2009 12:20 PM
Is LMS 3.1 vulnerable to this:
Affected Technologies Apache prior to 2.2.3
Apache prior to 1.3.37
Apache prior to 2.0.59
Description Description: The Rewrite module (mod_rewrite) for Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by an off-by-one buffer overflow in the escape_absolute_uri() LDAP scheme handling function. If RewriteRule is enabled and does not contain a Forbidden(F), Gone(G), or NoEscape(NE) flag, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause the server to crash.
Remedy:
For Apache 2.2.x:
Upgrade to the latest version of Apache (2.2.3 or later), available from the Apache Web site. See References.
For Apache 1.x:
Upgrade to the latest version of Apache (1.3.37 or later), available from the Apache Web site. See References.
For Apache 2.0.x:
Upgrade to the latest version of Apache (2.0.59 or later), available from the Apache Web site. See References.
Additional Details
Solved! Go to Solution.
07-08-2009 12:37 PM
No, we are not vulnerable. We do not use mod_rewrite. But to put your mind at ease, you can apply the patch to upgrade to Apache 1.3.41 from http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-cd-one .
07-08-2009 12:37 PM
No, we are not vulnerable. We do not use mod_rewrite. But to put your mind at ease, you can apply the patch to upgrade to Apache 1.3.41 from http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-cd-one .
07-08-2009 12:39 PM
That's what I needed. Thanks for the quick reply.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: