> A buffer overrun vulnerability in the Apache HTTP server included > with many popular Web servers enables an attacker to execute > code on vulnerable machines.
This is over-simplified.... Someone didn't read the bulletin carefully. http://httpd.apache.org/info/security_bulletin_20020617.txt The potential for executing arbitrary code is limited to 64-bit Unix and Windows platforms: "In Apache 1.3 the issue causes a stack overflow. Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as. We have been made aware that Apache 1.3 on Windows is exploitable in this way." Due to the time it takes to replace the terminated process (which varies according to platform), it's still possible to mount a denial-of-service attack on all other versions. -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org