Apache Vulnerability Announced

Aaron writes "Versions of the Apache HTTP Server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. In some cases it may be possible to cause a child process to terminate and restart, which consumes a non-trivial amount of resources. See the official announcement and stay tuned here for updated versions." This is in response to the rather uninformed and questionable security notice by ISS X-Force, about a bug that has already been mentioned on the public mailing lists for Apache and is fixed in CVS for Apache 2.0. I am also told that their patch doesn't fully solve the problem. I am sure though that by awaking us to the problem they will get a lot of great press just like any of the other companies currently using useless bug announcements as press releases.

Details of bug

[fw3]

Reportedly advisory This is a denial of service in 32bit unix (linux, bsd), and an exploit in 64 bit unix.

Regrettable that there's no patch (yet), sites running 64 bit ought to be taking immediate steps to prevent release of data readable by the apache account. I imagine there will be som DOS-ing of the more abundant 32 bit platforms.

You new around here?

[The+Turd+Report]

Every time there is a bug in a MS product the Slashdot janitors fall over themselves to be the first to say: "MS is buggy crap! Yay Linux!" But, when it is an OSS product that has the bug, they are quick to blame the people reporting the bug. Doesn't that strike you as odd?

Re:What happened to disclosure lead times?

[Tom7]

Were you sleeping last night? Last week? Apache wasn't secure then, either. And it probably won't be even after you apply the patch.