Apache security leak: a follow-up

Last week, we noted the advisory regarding a security leak in Apache software that "could allow remote attackers to execute malicious programs on vulnerable servers." Updating to Apache 1.3.26 fixes this. An updated advisory from June 20, adds:

"This follow-up to our earlier advisory is to warn of known-exploitable conditions related to this vulnerability on both 64-bit platforms and 32-bit platforms alike. Though we previously reported that 32-bit platforms were not remotely exploitable, it has since been proven by Gobbles that certain conditions allowing exploitation do exist. The Apache Software Foundation has released versions 1.3.26 and 2.0.39 that address and fix this issue, and all users are urged to upgrade immediately."

Although we admit to being still a bit uncertain, it appears that Mac platforms are vulnerable to this. Several readers have complained that Apple is not staying current with this matter, as its Security Updates page has not been updated to include this information.