[15381] in bugtraq
Re-release of IIS 5.0 Patch for MS00-031
daemon@ATHENA.MIT.EDU (Microsoft Product Security)
Fri Jun 16 21:16:19 2000
Message-ID: <D1A11CCE78ADD111A35500805FD43F5867C319@RED-MSG-04>
Date: Fri, 16 Jun 2000 16:31:17 -0700
Reply-To: Microsoft Product Security <secnotif@MICROSOFT.COM>
From: Microsoft Product Security <secnotif@MICROSOFT.COM>
X-To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
On May 10, 2000, we released Microsoft Security Bulletin MS00-031
(http://www.microsoft.com/technet/security/bulletin/ms00-031.asp),
discussing a pair of vulnerabilities affecting Internet Information
Server (IIS) 4.0 and 5.0. Both of the vulnerabilities, known as the
"Undelimited HTR Request" and "File Fragment Reading via .HTR"
vulnerabilities, should have been eliminated by the patches discussed
in the bulletin. In the case of the IIS 4.0 patch, this was the case.
However, we have recently discovered that the IIS 5.0 patch only
eliminated the "Undelimited HTR Request" vulnerability, and not the
"File Fragment Reading via .HTR" vulnerability.
We have released a new version of IIS 5.0 patch, and have verified
that it does eliminate both vulnerabilities. We recommend that any
customers who previously applied the IIS 5.0 patch revisit the
bulletin and apply the new version of the patch, to ensure that they
are fully protected against both vulnerabilities. The IIS 4.0 patch
was always correct, and customers who applied it do not need to take
any action. We are very sorry for any inconvenience caused by this
error, and will do our best to ensure that it does not occur again.
Regards,
Secure@microsoft.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
iQEVAwUBOUq4xo0ZSRQxA/UrAQEeQQf8D7qGrisHnkw05qFZvZOpPuIfBn/IqA8P
Jv9xVNm8/rfyYpFG4cERJTZL7HDdjJ/sCykaAzu5caMwinMCL0YLsW0dOZ4DswXb
CUai2WAS5bZ0o5Xk+eNUHwiTjZSH/l8AYFEProFH1cq1FX/vpiSR7OeVWi225Zp7
sK8WhWVsjBwS2kYbGA/rrnbe5bz/HBk7EgNwcd1TRWaHV7SSMqnI0OpXdHNT3UJO
0MIwp2RVYHXlkaijG3+E6VpCriU/NXRmRkyWXvWQWYrypYJyjXFcwfVgZD4MkD3z
wiAZiq8CKizN5doU+MWQwheiDdzV+/XHMOxY+yN8vldzfwQLY1ZbZg==
=Ijjc
-----END PGP SIGNATURE-----
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
