This patch should be sufficient to fix the security hole for most versions of Apache httpd 1.2. Should we put it up on dist/httpd?
....Roy
--- apache-1.2/src/http_protocol.c Thu Jan 4 01:21:10 2001 +++ apache-1.2/src/patched_http_protocol.c Thu Jun 20 18:13:04 2002 @@ -1535,6 +1535,10 @@ } len_to_read = get_chunk_size(buffer); + if (len_to_read < 0) { + r->connection->keepalive = -1; + return -1; + } if (len_to_read == 0) { /* Last chunk indicated, get footers */ if (r->read_body == REQUEST_CHUNKED_DECHUNK) {