Another big Apache hole

Linux and Unix suppliers are releasing fixes for a critical bug in the Apache Web server that could allow attackers to crash the...

Linux and Unix vendors are releasing fixes for a critical bug in the Apache web server that could allow attackers to crash the system or execute malicious code.

The bug affects Apache 1.3.x installations configured to act as proxy servers, which relay requests between a web browser and the internet.

When a vulnerable server connects to a malicious site, a specially-crafted packet can be used to exploit the vulnerability, according to security researcher Georgi Guninski, who has publicly released exploit code.

The bug is most serious on BSD installations, where it may allow code execution, while on other platforms the most likely effect is a system crash, researchers said.

Guninski released information about the proxy-server bug earlier this month, and last month discovered a similar vulnerability in an Apache component offering Secure Sockets Layer encryption, but he said the bugs don't reflect on Apache's overall security relative to competitors such as Microsoft's Internet Information Services.

Debian released a patch for the bug on Monday, and Gentoo Linux released its own patch last week. Red Hat, OpenBSD and OpenPKG have also released updates fixing the bug, while Novell's SuSE Linux said it is testing a patch. Researchers said Apple's BSD-based Mac OS X is likely affected, but Apple has not yet released a patch.

"If I were running a BSD system, I would be very careful with this," said Thomas Kristensen, chief technology officer of Secunia, which maintains a database tracking vulnerability advisories.

The proxy bug is the sixth vulnerability in Apache 1.3.x reported this year, according to Secunia.

Matthew Broersma writes for

Read more on Operating systems software