[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache chunk handling vulnerability and Apache 1.3.24-3

On Wed, 2002-06-19 at 06:57, René Seindal wrote:

> If you use 32 bit machines you are 'only' vulnerable to a DoS attack,
> not a real compromise of your servers.

Apache version 1.3.24 is vulnerable.  The later version 1.3.26 is a
security fix to this issue and it would seem it shall be available for
download shortly[1].

It would be worth noting that there has been later evidence to show a
remote root exploit using this vulnerability[2] as demonstrated with an
actual exploit against OpenBSD.  The source code[3] to the exploit
includes comments that claim successful testing against Linux 2.4, among
others.


[1]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=150284&repeatmerged=yes

[2] http://online.securityfocus.com/bid/5033/info/

[3]
http://downloads.securityfocus.com/vulnerabilities/exploits/apache-scalp.c
 
-- 

.: Paul Hosking . phosking@networkcountermeasures.com
.: InfoSec

.: PGP KeyID: 0x42F93AE9
.: 7B86 4F79 E496 2775 7945  FA81 8D94 196D 42F9 3AE9


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: