Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Vulnerability Announced

Posted by krow on from the lame-DOS-attacks dept.

Aaron writes "Versions of the Apache HTTP Server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. In some cases it may be possible to cause a child process to terminate and restart, which consumes a non-trivial amount of resources. See the official announcement and stay tuned here for updated versions." This is in response to the rather uninformed and questionable security notice by ISS X-Force, about a bug that has already been mentioned on the public mailing lists for Apache and is fixed in CVS for Apache 2.0. I am also told that their patch doesn't fully solve the problem. I am sure though that by awaking us to the problem they will get a lot of great press just like any of the other companies currently using useless bug announcements as press releases.

2 of 296 comments (clear)

  1. now lets' see... by slayer99 · · Score: 0, Flamebait

    I bet this will be patched a little quicker than the last IIS vulnerabilities :)

    --
    Martin Brooks / Slayer99 #linux / UIN 2178117
  2. I always like how by JeanBaptiste · · Score: 0, Flamebait

    apache bugs seem rather trivial, while most every M$ bug ends with 'which could allow malicious code to be executed' or 'which could allow unauthorized access' (I know thats not verbatim but I dont feel like looking it up.)