DoS: Apache 1.3 all versions including 1.3.24, Apache 2 all versions up to 2.0.36
james at angelos.ftech.co.uk
Tue Jun 18 08:05:45 PDT 2002
Quoting Jesse Tie-Ten-Quee <highos at linuxfromscratch.org>:
> "In Apache 1.3 the issue causes a stack overflow. Due to the nature of
> the overflow on 32-bit Unix platforms this will cause a segmentation
> violation and the child will terminate. However on 64-bit platforms the
> overflow can be controlled and so for platforms that store return
> addresses on the stack it is likely that it is further exploitable. This
> could allow arbitrary code to be run on the server as the user the
> Apache children are set to run as."
> No patches or new releases yet, afaik.
According to the CERT Advisory...
The Apache Software Foundation has released two new versions of Apache
that correct this vulnerability. System administrators can prevent the
vulnerability from being exploited by upgrading to Apache version
1.3.25 or 2.0.39. The new versions of Apache will be available from
their web site at http://httpd.apache.org/
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message
More information about the lfs-security