Subject: Re: www/apache*
To: Ignatios Souvatzis <>
From: None <>
List: tech-pkg
Date: 06/18/2002 22:15:49
>> 	beware - www/apache* ARE NOT SECURE YET.  we are still awaiting for
>> to issue a new release.
>doesn't the bad part (> denial-of-service) only apply to 64 bit architectures?

	from CERT advisory, i'm not sure. (it doesn't say that 32bit arch
	are safe)


II. Impact

   For  Apache  versions 1.3 through 1.3.24 inclusive, this vulnerability
   may allow the execution of arbitrary code by remote attackers. Several
   sources have reported that this vulnerability can be used by intruders
   to  execute  arbitrary  code  on  Windows platforms. Additionally, the
   Apache  Software  Foundation  has  reported  that a similar attack may
   allow the execution of arbitrary code on 64-bit UNIX systems.

   For  Apache  versions  2.0  through  2.0.36  inclusive,  the condition
   causing  the  vulnerability is correctly detected and causes the child
   process  to  exit.  Depending  on  a variety of factors, including the
   threading model supported by the vulnerable system, this may lead to a
   denial-of-service attack against the Apache web server.