You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Vikramjit Singh <vi...@gtllimited.com> on 2002/06/19 06:50:39 UTC

FW: FLAWS FOUND IN APACHE

hi everyone,

this mail is sent by my boss regarding flaws found in apache. Could anyone
throw some light on this.

Regards,
Vikramjit Singh,
Systems Engineer,
GTL Ltd.
Ph. 7612929-1031

>  -----Original Message-----
> From: 	Chandrashekar Rao Kuthyar  
> Sent:	Tuesday, June 18, 2002 9:48 PM
> To:	Ranjith Chakravarthi; Kavita Sharma; Sandeep Pidshetti; Prasanna
> shashikantrao patil; Vikramjit Singh; Ajit Welling
> Subject:	FW: FLAWS FOUND IN APACHE 
> 
> Info . Ps comment if this will affect us
> 
> CS
> 
>  -----Original Message-----
> From: 	Ashok Rumde  
> Sent:	Wednesday, June 19, 2002 9:38 AM
> To:	Chandrashekar Rao Kuthyar; Sunil Waingankar; M R Krishnan; Eulalio
> Fernandes
> Subject:	FLAWS FOUND IN APACHE 
> 
> 
> Following is for your information please 
> 
> Rumde 
> 
> --------------------------------------------------------------------------
> -------------------------------------------------------------------
> 
> DOS, BUFFER-OVERFLOW FLAWS FOUND IN APACHE | News: SearchSecurity
> Dangerous denial-of-service and stack buffer-overflow vulnerabilities
> have been found in the popular open-source Apache Web server. To
> complicate matters, the Apache Foundation is at odds with Internet
> Security Systems' decision to issue an advisory and a patch before
> the foundation had a chance to respond. 

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: FLAWS FOUND IN APACHE

Posted by Nikola Milutinovic <Ni...@ev.co.yu>.

> this mail is sent by my boss regarding flaws found in apache. Could anyone
> throw some light on this.

CERT reported yesterday that all current and recent versions of Apache, using HTTP/1.1 protocol have a buffer overflow bug. The bug is activated through maliciously crafted HTTP/1.1 chunked request.

For versions 1.3.x this bug allows the attacker to execute arbitrary code on the attacked machine.

For versions 2.0.x this bug will "only" kill the process handling the request. In a "prefork" model it means one of the worker servers will be killed and will have to be spawned again. In a "worker", "per-child" and other multithreaded models it kills the process, not just the handling thread. This will introduce a (sometimes) long delay in starting up a new server process with sufficient number of threads.

For version 2.0 Apache developers say that "the condition causing the vulnerability is correctly detected and causes the child process to exit."

I will send the full message to the list.

Nix.