I have a situation where I have an external-facing apache server proxying to another apache server inside a firewall. I've updated the proxying one to Apache 1.3.26 so that it won't get hacked due to the chunked encoding bug, but I'm not able to upgrade the other one behind the firewall for quite some time (a few months since it's integrated with another product). I've been trying to figure out if I'm vulnerable externally or not in this situation.
It appears to me that I'm not, because it looks to me like the mod_proxy handler calls the same core chunked reading functionality that the rest of Apache uses (i.e. from main/http_protocol.c) and that appears to be where all the fixes were made. However, I thought I'd run this by you good folks here since you're a lot more experienced with the Apache code than I am (just 2 days for me so far).... Dave
