Apache 2.0 r00ted on NetWare, Windows, OS/2

An anonymous reader writes "A flaw in Apache 2.0's interpretation of the backslash delimiter allows for a remote r00ting on NetWare, Windows, and OS/2. InfoWorld has an overview; the attack was discoverd by PivX's Auriemma Luigi, and he describes it in this technical document. I don't know whether there is such a thing as an OS/2 shop anymore, and most Microsoft shops probably run IIS, but Apache now ships as the default web server for NetWare 6, so Novell shops: Take note. A patch is available from Apache, and Luigi describes a workaround in his article."

This has been fixed for a month now

[alanjstr]

Apache 2.0.40 was released August 9th, fixing the hole. You can read the advisory, but you should have upgraded already. The real news is that many Apache web servers are still unpatched. Won't admin's ever learn?

Re:This has been fixed for a month now

[babbage]

Won't admin's ever learn?

Learn what, how to use apostrophes? ;-)

Seriously though, keeping on the bleeding edge of updates isn't always feasible. A lot of companies might be running third party software that is explicitly not supported unless you're running a particular version of Apache, or a particular version of the Linux kernel, C libraries, etc. (And likewise for Windows software, etc.)

Please be generous and accept that negligence isn't the only explanation for failure to keep up with the latest patches of all the major & minor components of a modern computer system...