tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chakradhar Tallam <c.tal...@oopl.com.au>
Subject RE: FLAWS FOUND IN APACHE
Date Wed, 19 Jun 2002 05:04:55 GMT
http://www.cert.org/advisories/CA-2002-17.html

-----Original Message-----
From: Vikramjit Singh [mailto:vikramjits@gtllimited.com]
Sent: Wednesday, 19 June 2002 3:09 PM
To: 'Tomcat Users List'
Subject: RE: FLAWS FOUND IN APACHE 


could you send the link for the article.

Regards,
Vikramjit Singh,
Systems Engineer,
GTL Ltd.
Ph. 7612929-1031


-----Original Message-----
From: Nikola Milutinovic [mailto:Nikola.Milutinovic@ev.co.yu]
Sent: Tuesday, June 18, 2002 10:06 PM
To: Tomcat Users List
Subject: Re: FLAWS FOUND IN APACHE 


> this mail is sent by my boss regarding flaws found in apache. Could anyone
> throw some light on this.

CERT reported yesterday that all current and recent versions of Apache,
using HTTP/1.1 protocol have a buffer overflow bug. The bug is activated
through maliciously crafted HTTP/1.1 chunked request.

For versions 1.3.x this bug allows the attacker to execute arbitrary code on
the attacked machine.

For versions 2.0.x this bug will "only" kill the process handling the
request. In a "prefork" model it means one of the worker servers will be
killed and will have to be spawned again. In a "worker", "per-child" and
other multithreaded models it kills the process, not just the handling
thread. This will introduce a (sometimes) long delay in starting up a new
server process with sufficient number of threads.

For version 2.0 Apache developers say that "the condition causing the
vulnerability is correctly detected and causes the child process to exit."

I will send the full message to the list.

Nix.

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message