httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Pre-Announcement: Apache 1.3.19-rev1 for OS2/Win32
Date Sat, 12 May 2001 15:33:29 GMT
Folks, this is the announce that will go out today.  If you are an OS2 or Win32 user,
please try replacing your files with these incremental binaries, and or recompile with
the patch.

Please acknowledge if this works for you, before the general announce goes out.

Details and exploits of the vulnerability will be posted upon release of 1.3.20.

----------

Denial of Service Vulnerability identified in Apache Server 1.3 on Win32 and OS2 platforms

Patch and incremental binaries available for Apache 1.3.19:

http://www.apache.org/dist/httpd/patches/apply_to_1.3.19/
An exploit was discovered that allows a malicious user to terminate the Apache 
server running on Win32 or OS2. Depending on the specific OS version, the server 
would stop listening to further requests until the administrator cleared the fault.
In all cases the server would not respond until it completed its restart, which 
could take one minute or more depending on the server's configuration. Current 
responses from the server would be terminated.

No other operating systems are effected by the vulnerability. We are not aware 
of any exploits of this vulnerability other than denial of service.

The fixfault_win32_os2-1.3.19.patch file is available from

    http://www.apache.org/dist/httpd/patches/apply_to_1.3.19/

Since many Win32 and OS2 users rely on soley on binary releases, the replacement 
for the core binary module file is available in the win32 and os2 folders below. 

    http://www.apache.org/dist/httpd/patches/apply_to_1.3.19/win32/
    http://www.apache.org/dist/httpd/patches/apply_to_1.3.19/os2/

Please read the information on those download pages carefully.

Note that users of non-standard distributions, such as the Apache-EAPI extensions 
or ApacheSSL enabled servers _cannot_ apply this fix.  Refer to the distributor
or vendor of your Apache build directly for updated binaries.  The patch may be
applied to the sources, if available, and the server recompiled.

Users of older versions of Apache on Win32 and OS2 platforms are cautioned to to 
upgrade to 1.3.19 and apply this fix. All Win32 and OS2 users are strongly encouraged 
to upgrade to 1.3.20 once it is released.





Mime
View raw message