Bug#441845: Subject: apache2: Remote user can crash Apache if reverse proxy is enabled.
Package: apache2
Severity: critical
Justification: root security hole
Tags: security
*** Please type your report below this line ***
A security hole has been disclosed on the Apache web site.
http://httpd.apache.org/security/vulnerabilities_22.html
Although it is disclosed as a denial of service, it seems
to involve a buffer overflow, and thus allow remote code
execution under the apache account. I can confim, from
attacks in systems of a customer, that this is actually the case.
As I have not seen any security upgrade from 4th of september,
date of the disclosure, I request this issue to be fixed.
Ramon Garcia
Systems Administrator
ramon.garcia@kotasoft.com
http://www.kotasoft.com
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-vserver-686
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Reply to: