LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security Innovation's Microsoft/Linux web server security study

Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 15:31 UTC (Wed) by ballombe (subscriber, #9523)
Parent article: Security Innovation's Microsoft/Linux web server security study

> Red Hat only packaged this fix in RHSA-2004:611, issued on the 27th of November.

This is not true. Just check the excellent LWN Security section (http://lwn.net/Alerts/108548/)

It was issued the 27th of October.

(Log in to post comments)

Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 15:43 UTC (Wed) by gnb (subscriber, #5132) [Link]

That's still longer than you might hope. They may well have picked
the worst example they could find, but the point that need for the
fix to propagate from the upstream vendor to the distribution vendor
introduces delay is valid. Whether the end result is any worse than
the delay you get from some other large software companies is a separate
question.

Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 15:51 UTC (Wed) by shahms (subscriber, #8877) [Link]

Even if they picked the worst example they could find, they still exaggerated it by a month...

Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 15:55 UTC (Wed) by tzafrir (subscriber, #11501) [Link]

Have a look at the original bug:

http://bugs.mysql.com/bug.php?id=4017

The original report was unreproducable from 4-jun-2004 to 16-jun-2004. Then a discussion started. A quote from it:

[17 Jun 2004 2:20am] Lukasz Wojtow

Everything depends on library you use. In glibc there is a limitation for an IP
address to have only 4 bytes (obviously), but generally speaking the length of
the address comes with a response for dns query (i know it sounds funny but read
rfc1035 if you don't believe). This bug can occur on libraries where
gethostbyname function takes length from dns's response and puts it to h_length.
see sources for ping and squid (just do grep for 'gethostbyname' and look a few
lines lower) to see how it should be done. doing thing like
memcpy(&sa.sin_addr,he->h_addr,he->h_length) is like
strncpy(buffer,user_input,strlen(user_input)). It is an overflow, just not
exploitable on Linux (glibc) and OpenBSD (i don't know about others).
Lukasz Wojtow

So Theoretically RHEL was volnurable. Practically it wasn't. Still it is worth fixing because who knows what other pathes may lead there. No reason for urshing out an emergency fix for this one.

Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 16:29 UTC (Wed) by ballombe (subscriber, #9523) [Link]

Second error:
>CAN-2004-0957 discusses a bug in MySQL's mysql_real_connect() function.

That is not true either, mysql_real_connect() is CAN-2004-0836. CAN-2004-0957
is an unrelated vulnerability fixed in the same RHSA.

See http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-200...
and http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-200...

Given there is two factual mistakes in the 5 lines pasted in the news
item, how much would you trust the rest ?

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds