DoS: Apache 1.3 all versions including 1.3.24, Apache 2 all versions up to 2.0.36

James Spinks james at
Tue Jun 18 08:05:45 PDT 2002

Quoting Jesse Tie-Ten-Quee <highos at>:
> Yo,
> "In Apache 1.3 the issue causes a stack overflow.  Due to the nature of
> the overflow on 32-bit Unix platforms this will cause a segmentation
> violation and the child will terminate.  However on 64-bit platforms the
> overflow can be controlled and so for platforms that store return
> addresses on the stack it is likely that it is further exploitable. This
> could allow arbitrary code to be run on the server as the user the
> Apache children are set to run as."
> No patches or new releases yet, afaik.

According to the CERT Advisory...

   The Apache Software Foundation has released two new versions of Apache
   that correct this vulnerability. System administrators can prevent the
   vulnerability  from  being  exploited  by  upgrading to Apache version
   1.3.25  or  2.0.39.  The new versions of Apache will be available from
   their web site at 

James Spinks
Unsubscribe: send email to listar at
and put 'unsubscribe lfs-security' in the subject header of the message

More information about the lfs-security mailing list