Reported June 17, 2002, by CERT.
Apache 2, all versions up to 2.0.36
Apache 1.3, all versions including 1.3.24
Apache 1.2, all versions 1.2.2 and later
A vulnerability exists in Apache Web servers that can lead to arbitrary code execution on the vulnerable system. This vulnerability stems from a flaw in the handling of certain chunk-encoded HTTP requests that lets a remote attacker execute arbitrary code or cause a Denial of Service (DoS) attack.
The vendor, Apache, has released a detailed advisory about this vulnerability and recommends that affected users either apply a patch supplied by an OEM or upgrade immediately to a newer version of Apache software available from Apache's Web site.
Discovered by Mark Litchfield of Next Generation Security Software.