[Info-vax] 'Kill tool' released for unpatched Apache server vulnerability
Craig A. Berry
craigberry at nospam.mac.com
Thu Aug 25 09:49:01 EDT 2011
Craig A. Berry wrote:
>
>
> Neil Rieck wrote:
>> Just cross posting here:
>>
>> 'Kill tool' released for unpatched Apache server vulnerability:
>>
>> http://www.zdnet.com/blog/security/kill-tool-released-for-unpatched-apache-server-vulnerability/9304?tag=nl.e589
>>
>>
>> quote: A patch or new apache release for Apache 2.0 and 2.2 is
>> expected later this week
>>
>> Does anyone know if this affects the OpenVMS flavor of Apache? IIRC,
>> SWS Version 2.2 is based on Apache 2.0.63
>
> It says it requires the use of mod_deflate.
But it doesn't. At least I could easily bring my SWS instance to its
knees even though I don't have mod_deflate enabled. For details see:
<http://labs.hoffmanlabs.com/node/1767>
It may be that my little old XP1000 simply can't handle that many
requests (even valid ones) and it has nothing to do with the range
header vulnerability. Or it may be that mod_deflate doesn't have as much
to do with the vulnerability as the initial analysis indicated. In any
case, folks running Apache should assume they are vulnerable until
proven otherwise, regardless of platform.
More information about the Info-vax
mailing list