could you send the link for the article. Regards, Vikramjit Singh, Systems Engineer, GTL Ltd. Ph. 7612929-1031
-----Original Message----- From: Nikola Milutinovic [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 18, 2002 10:06 PM To: Tomcat Users List Subject: Re: FLAWS FOUND IN APACHE > this mail is sent by my boss regarding flaws found in apache. Could anyone > throw some light on this. CERT reported yesterday that all current and recent versions of Apache, using HTTP/1.1 protocol have a buffer overflow bug. The bug is activated through maliciously crafted HTTP/1.1 chunked request. For versions 1.3.x this bug allows the attacker to execute arbitrary code on the attacked machine. For versions 2.0.x this bug will "only" kill the process handling the request. In a "prefork" model it means one of the worker servers will be killed and will have to be spawned again. In a "worker", "per-child" and other multithreaded models it kills the process, not just the handling thread. This will introduce a (sometimes) long delay in starting up a new server process with sufficient number of threads. For version 2.0 Apache developers say that "the condition causing the vulnerability is correctly detected and causes the child process to exit." I will send the full message to the list. Nix. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
