Hello. I think nobody had send this warnig to the list. Sorry if you 
already nows.

This text is from the apache web:


Versions of the Apache web server up to and including 1.3.24 and 2.0 up 
to and including 2.0.36 contain a bug in the routines which deal with 
invalid requests which are encoded using chunked encoding. This bug can 
be triggered remotely by sending a carefully crafted invalid request. 
This functionality is enabled by default.

In most cases the outcome of the invalid request is that the child 
process dealing with the request will terminate. At the least, this 
could help a remote attacker launch a denial of service attack as the 
parent process will eventually have to replace the terminated child 
process, and starting new children uses non-trivial amounts of resources.

We were also notified today by ISS that they had published the same 
issue which has forced the early release of this advisory. Please note 
that the patch provided by ISS does not correct this vulnerability.

The Apache Software Foundation has released versions 1.3.26 and 2.0.39 
to address and fix this issue. These version are available for download; 
see below.

Josep R. Raurell

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to