apache -- buffer overflow

ID DSA-525
Type debian
Reporter Debian
Modified 2004-06-24T00:00:00


Georgi Guninski discovered a buffer overflow bug in Apache's mod_proxy module, whereby a remote user could potentially cause arbitrary code to be executed with the privileges of an Apache httpd child process (by default, user www-data). Note that this bug is only exploitable if the mod_proxy module is in use.

Note that this bug exists in a module in the apache-common package, shared by apache, apache-ssl and apache-perl, so this update is sufficient to correct the bug for all three builds of Apache httpd. However, on systems using apache-ssl or apache-perl, httpd will not automatically be restarted.

For the current stable distribution (woody), this problem has been fixed in version 1.3.26-0woody5.

For the unstable distribution (sid), this problem has been fixed in version 1.3.31-2.

We recommend that you update your apache package.