> this mail is sent by my boss regarding flaws found in apache. Could anyone
> throw some light on this.
CERT reported yesterday that all current and recent versions of Apache, using HTTP/1.1
protocol have a buffer overflow bug. The bug is activated through maliciously crafted
HTTP/1.1 chunked request.
For versions 1.3.x this bug allows the attacker to execute arbitrary code on the
attacked machine.
For versions 2.0.x this bug will "only" kill the process handling the request. In a
"prefork" model it means one of the worker servers will be killed and will have to be
spawned again. In a "worker", "per-child" and other multithreaded models it kills the
process, not just the handling thread. This will introduce a (sometimes) long delay in
starting up a new server process with sufficient number of threads.
For version 2.0 Apache developers say that "the condition causing the vulnerability is
correctly detected and causes the child process to exit."
I will send the full message to the list.
Nix.
