DoS: Apache 1.3 all versions including 1.3.24, Apache 2 all versions up to 2.0.36

James Spinks james at angelos.ftech.co.uk
Tue Jun 18 08:05:45 PDT 2002


Quoting Jesse Tie-Ten-Quee <highos at linuxfromscratch.org>:
> Yo,
> 
> http://httpd.apache.org/info/security_bulletin_20020617.txt
> 
> "In Apache 1.3 the issue causes a stack overflow.  Due to the nature of
> the overflow on 32-bit Unix platforms this will cause a segmentation
> violation and the child will terminate.  However on 64-bit platforms the
> overflow can be controlled and so for platforms that store return
> addresses on the stack it is likely that it is further exploitable. This
> could allow arbitrary code to be run on the server as the user the
> Apache children are set to run as."
> 
> No patches or new releases yet, afaik.

According to the CERT Advisory...

   The Apache Software Foundation has released two new versions of Apache
   that correct this vulnerability. System administrators can prevent the
   vulnerability  from  being  exploited  by  upgrading to Apache version
   1.3.25  or  2.0.39.  The new versions of Apache will be available from
   their web site at http://httpd.apache.org/ 


-- 
James Spinks
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list