[VIM] Apache version question/discrepancy?

security curmudgeon jericho at attrition.org
Thu Nov 16 21:40:28 EST 2006


Fixed in Apache httpd 1.3.37
important: mod_rewrite off-by-one error CVE-2006-3747

Affects: 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28

[Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released

This version of Apache is principally a bug and security fix release. The
following potential security flaws are addressed;

    CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,

    mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
    and 2.2 since 2.2.0.


* Vulnerable Systems
Apache 1.3.29/mod_rewrite


Any version of the Apache HTTP server:
  * 1.3 branch: >1.3.28 and <1.3.37


The web page suggests that the vulnerability is "fixed in 1.3.37" which 
would imply 1.3.35 and 1.3.36 are vulnerable, but the affected list does 
not specify that.

The announcement posted to various lists seems to confirm the CVE analysis 
which says "since 1.3.28" but doesn't specify the version that fixes it.

So, for clarity, are 1.3.35 and 1.3.36 affected by this issue?

More information about the VIM mailing list