Update: For millions of websites that were vulnerable care of ISS, Apache is not too happy. ISS (Internet Security Systems) released an insufficient patch along with their advisory to the Apache Web . . .

Update: For millions of websites that were vulnerable care of ISS, Apache is not too happy. ISS (Internet Security Systems) released an insufficient patch along with their advisory to the Apache Web Server. ISS believe that because Apache is open source, that the vulnerability need not be reported to the maintainers, only to the public. Apache's official advisory states specifically that the ISS patch does not correct this vulnerability. The CERT advisory gives a description of which platforms this vulnerability affects. ISS insists that this vulnerability is unexploitable. Apache.org's Mark Cox insists that if ISS had contacted Apache prior to making this vulnerability public, they would been able to gain a better understanding of the problem and realize that their fix was insufficient.

The bug, which deals with invalid requests encoded using chunked encoding, can cause a child process to terminate and then restart. This uses a trivial amount of resources.

A Slashdot.org posting asserts that ISS is using this Apache vulnerability as a press release. ISS's rebuttal is available here. There is no doubt that this assertion can be substantiated, but The Register believes that there may be something more to it than that. Has ISS ever tried something of this nature with Microsoft?

The fix is now available here.
Here is the message from Bugtraq telling you how to test if you need the patch or not.

Threat becomes vulnerability:

Now that the patch has been released and apache has been updated for all OS's affected, the exploits have been released. Ensure your version has been patched and give the exploits a try. The exploits are available here and here.

 

 

Media References:

Washington Post
Problem is, they didn't tell the maker of the software. Then they issued the wrong prescription for fixing the problem...

 

The Register
On Monday, Internet Security Systems (ISS) posted their discovery to the BugTraq mailing list, without knowing the full extent of the flaw, and without giving Apache.org time to investigate and develop a patch or even propose a workaround. To sugar the pill...

 

News.com
The warning's release reopened a long-simmering debate over how much time a security researcher should give a software maker to verify and fix vulnerabilities that could affect large numbers of computer users...

 

ZD Net Tech News
The warning's release reopened a long-simmering debate over how much time a security researcher should give a software maker to verify and fix vulnerabilities that could affect large numbers of computer users...

 

InfoWorld
More than 63 percent of all Web sites run on an Apache Web server, according to Netcraft Ltd. of Bath, England, which compiles such information. The flaw is similar to...

 

 

 

Version Specific References:

Debian:

https://www.linuxsecurity.com/advisories/debian_advisory-2138.html

 

EnGarde:

https://www.linuxsecurity.com/advisories/other_advisory-2137.html

 

IBM AIX:

https://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

 

Red Hat:

https://www.linuxsecurity.com/advisories/redhat_advisory-2143.html

 

SuSe:

https://www.linuxsecurity.com/advisories/suse_advisory-2139.html

 

Slackware:

https://www.linuxsecurity.com/advisories/slackware_advisory-2148.html

 

Trustix:

https://www.linuxsecurity.com/advisories/other_advisory-2147.html

 

Conectiva:

https://www.linuxsecurity.com/advisories/other_advisory-2145.html