From: Devrim GUNDUZ (devrim@oper.metu.edu.tr)
Date: Wed 19 Jun 2002 - 10:45:07 EEST
Merhaba,
Apache webinden:
SECURITY ADVISORY
Versions of the Apache web server up to and including 1.3.24 and 2.0 up
to and including 2.0.36 contain a bug in the routines which deal with
invalid requests which are encoded using chunked encoding. This bug can
be triggered remotely by sending a carefully crafted invalid request.
This functionality is enabled by default.
In most cases the outcome of the invalid request is that the child
process dealing with the request will terminate. At the least, this
could help a remote attacker launch a denial of service attack as the
parent process will eventually have to replace the terminated child
process, and starting new children uses non-trivial amounts of resources.
We were also notified today by ISS that they had published the same
issue which has forced the early release of this advisory. Please note
that the patch provided by ISS does not correct this vulnerability.
The Apache Software Foundation has released versions 1.3.26 and 2.0.39
to address and fix this issue. These version are available for download;
see below.
Saygilarimla.
-- Devrim GUNDUZdevrim@oper.metu.edu.tr devrim.gunduz@linux.org.tr
Web : http://devrim.oper.metu.edu.tr -------------------------------------
----------------------------------------------------------------------- Liste üyeliğiniz ile ilgili her türlü işlem için http://liste.linux.org.tr adresindeki web arayüzünü kullanabilirsiniz.
Listeden çıkmak için: 'linux-request@linux.org.tr' adresine, "Konu" kısmında "unsubscribe" yazan bir e-posta gönderiniz. -----------------------------------------------------------------------