tech-pkg: Re: www/apache*

Subject: Re: www/apache*
To: Ignatios Souvatzis <ignatios@theory.cs.uni-bonn.de>
From: None <itojun@iijlab.net>
List: tech-pkg
Date: 06/18/2002 22:15:49

>> 	beware - www/apache* ARE NOT SECURE YET. we are still awaiting for
>> 	apache.org to issue a new release.
>doesn't the bad part (> denial-of-service) only apply to 64 bit architectures?
	from CERT advisory, i'm not sure. (it doesn't say that 32bit arch
	are safe)
itojun
II. Impact
 For Apache versions 1.3 through 1.3.24 inclusive, this vulnerability
 may allow the execution of arbitrary code by remote attackers. Several
 sources have reported that this vulnerability can be used by intruders
 to execute arbitrary code on Windows platforms. Additionally, the
 Apache Software Foundation has reported that a similar attack may
 allow the execution of arbitrary code on 64-bit UNIX systems.
 For Apache versions 2.0 through 2.0.36 inclusive, the condition
 causing the vulnerability is correctly detected and causes the child
 process to exit. Depending on a variety of factors, including the
 threading model supported by the vulnerable system, this may lead to a
 denial-of-service attack against the Apache web server.