An exploit was discovered that allows a malicious user to terminate the Apache server running on Win32 or OS2. Depending on the specific OS version, the server would stop listening to further requests until the administrator cleared the fault, but in all cases the server would not respond until it completed its restart, which could take up to one minute. Current responses from the server would be terminated.
The fixfault_win32_os2-1.3.19.patch file is available here. Since many Win32 and OS2 users rely on binary releases, the replacement for the core binary module file is available in the win32 and os2 folders below. Please read the information on those download pages carefully.
Users of older versions of Apache on Win32 and OS2 platforms are cautioned to to upgrade to 1.3.19 and apply this fix. All Win32 and OS2 users are strongly encouraged to upgrade to 1.3.20 once it is released.
No other operating systems are effected by the vulnerability. We are not aware of any exploits of this vulnerability other than denial of service to Win32 and OS2 servers.
Name Last modified Size DescriptionApache/2.4.10 (Unix) OpenSSL/1.0.1i Server at www.apache.org Port 80
Parent Directory - HTTP Server project os2/ 2012-03-03 19:38 - HTTP Server project win32/ 2012-03-03 19:38 - HTTP Server project SECURITY_chunk_size_patch.txt 2009-10-03 22:02 1.3K HTTP Server project fixfault_win32_os2-1.3.19.patch 2009-10-03 22:02 13K Source code patch