Slashdot Mirror


Apache Vulnerability Announced

Aaron writes "Versions of the Apache HTTP Server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. In some cases it may be possible to cause a child process to terminate and restart, which consumes a non-trivial amount of resources. See the official announcement and stay tuned here for updated versions." This is in response to the rather uninformed and questionable security notice by ISS X-Force, about a bug that has already been mentioned on the public mailing lists for Apache and is fixed in CVS for Apache 2.0. I am also told that their patch doesn't fully solve the problem. I am sure though that by awaking us to the problem they will get a lot of great press just like any of the other companies currently using useless bug announcements as press releases.

2 of 296 comments (clear)

  1. Switch to IIS by l33t+j03 · · Score: 4, Funny

    Proof positive that IIS is a better web server than Apache. You don't see IIS vulnerabilites spouted all over the internet every day.

    1. Re:Switch to IIS by krogoth · · Score: 4, Funny

      "You don't see IIS vulnerabilites spouted all over the internet every day."

      Yes, they tried but it's hard to get people to work on weekends.

      --

      They that quote Benjamin Franklin on liberty and safety deserve neither.