Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache Vulnerability Announced

Posted by krow on from the lame-DOS-attacks dept.

Aaron writes "Versions of the Apache HTTP Server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. In some cases it may be possible to cause a child process to terminate and restart, which consumes a non-trivial amount of resources. See the official announcement and stay tuned here for updated versions." This is in response to the rather uninformed and questionable security notice by ISS X-Force, about a bug that has already been mentioned on the public mailing lists for Apache and is fixed in CVS for Apache 2.0. I am also told that their patch doesn't fully solve the problem. I am sure though that by awaking us to the problem they will get a lot of great press just like any of the other companies currently using useless bug announcements as press releases.

7 of 296 comments (clear)

  1. Incoming by tiltowait · · Score: 0, Troll

    I can just see the "and what if this was IIS, how would you be commenting with snide remarks" trolls now.

  2. Apache is great! Very useful... by Anonymous Coward · · Score: -1, Troll
    Especially for posting a web site about how much of a fucking ass-nad Brian McFucking Ellenberger is. Make sure you tell his stupid fucking holier than thou ass what you think of horn-swallowers like himself..

    ----
    wTf

  3. Let the spinning begin! by The+Turd+Report · · Score: -1, Troll

    Ok Slashbots. Start spinning this to show how OSS is awesome cause a bug was found. When it is a MS bug, it is the worst bug to ever exist, but when it is an OSS product, it is a trivial issue.

    --
    Michael Loves Me!
    1. Re:Let the spinning begin! by Anonymous Coward · · Score: -1, Troll

      It's interesting how Slashdot's editorial slant changes when the security news sites aren't posting about a Windows server bug, isn't it?

      All of a sudden, the gloating disappears, and the spin-control begins. It's almost like Slashdot is owned by a open source consulting company... Oh, wait, IT IS. Sorry, never mind.

  4. Don't point the finger at ISS. by dave-fu · · Score: 1, Troll

    What they did (unilaterally going ahead and releasing a bug they discoverd) is shady, but you should instead point the finger of blame at the Apache group for distributing a buggy product (IIS had a similar problem with chunking way back when... what's that cliche about forgetting history?) and, if you're the one who's pimping open source as the best thing since sliced bread to anyone who will or won't listen, point the finger right back at yourself for blindly trusting the code you're running.

    --
    Easy does it!
    This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
  5. slashdot.org should be renamed spinroom.org by sheldon · · Score: 1, Troll

    The spin from the linux camp on this one has been pretty funny to read. :-)

    How long will it take before this is exploited? Then how many servers will get rooted because they haven't installed a patch?

  6. don't believe the FUD by tps12 · · Score: -1, Troll

    While I'm sure all the Windblowze supporters are crowing about this, I want to make a few points just to put it in perspective.

    First of all, this is the first vulnerability in a long time for Apache; contrast that with the number of holes found in IIS just about every time you turn around. Second, notice how quickly it was found and corrected. That's another thing you won't get from Microsoft. Finally, compare the seriousness of the exploit with the crippling effects of having an MS server attacked.

    If anything, this hole just serves (ha!) as a reminder of how superior Apache and open source are in general. Only a fool would use anything else.

    --

    Karma: Good (despite my invention of the Karma: sig)