Slashdot Mirror
Apache Vulnerability Announced
Aaron writes "Versions of the Apache HTTP Server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. In some cases it may be possible to
cause a child process to terminate and restart,
which consumes a non-trivial amount of resources. See the official
announcement and stay tuned here for updated versions." This is in response to the rather uninformed and questionable security notice by ISS X-Force, about a bug that has already been mentioned on the public mailing lists for Apache and is fixed in CVS for Apache 2.0.
I am also told that their patch doesn't fully solve the problem. I am sure though that by awaking us to the problem they will get a lot of great press just like any of the other companies currently using useless bug announcements as press releases.
Im blind from the purple and piss color color scheme found on this page.
W is for windows
it's good enough for me
W is for windows
it's good enough for me
w is for windows
cause i'm a big dummie!
GOOOAAALLL!
(Brazil Women's Soccer Team!!)
norrog@linux:~> cat complaint.troll
.net adverts! Why the FUCK are you letting the
The ADS on $la$hdot and the O$DN ANNOY ME.
Ones that annoyme most,
$hit forge adverts, no one want's to risk developing critcal applications
with you so fuck off!
AnimeFu/Megatokyo adverts! Japanime sucks, so does slashdot!
Microsoft Visual Studio
devil advertise with you. Oh now I remember, open sores have no way to
make money so they ask big companies to support them!
Conclusion. Don't tolerate it! Don't subscribe to $la$hdot. Instead go
and install Junk buster [junkbuster.com] and say no to shitty adverts! The
ones found here are worser than the pr0n sites!
Does anyone have any pornographic pictures of Mae Ling Mak that I could use for masturbation please?
It's pretty funny that you say that. From the email
X-Force has verified that this issue is exploitable on Apache for
Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the same
source code, but X-Force believes that successful exploitation on most
Unix platforms is unlikely.
and
From Apache.org:
In Apache 1.3 the issue causes a stack overflow. Due to the nature of the
overflow on 32-bit Unix platforms this will cause a segmentation violation
and the child will terminate. However on 64-bit platforms the overflow
can be controlled and so for platforms that store return addresses on the
stack it is likely that it is further exploitable. This could allow
arbitrary code to be run on the server as the user the Apache children are
set to run as.
We have been made aware that Apache 1.3 on Windows is exploitable in this
way.
Now, what were you saying about Windows vs. *nix?
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
Because of you're low ID, I assume you are not a troll, but you seem to have some misconceptions about this. This is not a linux bug, it is an apache bug. No 32-bit unixes will get rooted as a result of this, though a DoS is possible. Windows and 64-bit unixes could be vulnerable to a serious exploit, if apache is running as a privileged user, is not chroot'ed, etc. I think most 64-bit unix admins will be able to manage the problem until a good patch is available. One can only hope that there aren't too many people running apache on windows.
"Any fool can make a rule, and any fool will mind it."
--Henry David Thoreau
uuummmmmm, a 16" Roast Beef after a night of binge drinking sounds really good right now. Both the sandwich and binge drinking.
I miss school so much some days, as I sit and work on useless, uninteresting projects. At least school had useless, interesting projects to work on.
At any rate, all this mentioning of ISS is making me hungry.