Urchin 4 ships with an embedded Apache webserver that provides access to the web-based Urchin administration and reporting functions. As reported in the following ISS security advisory:
Impact on Urchin Customers
After careful examination of the fix and the threat, Urchin Software Corporation's position on this issue is that:
- When used in a standard configuration, the Apache shipped with Urchin 4 is not vulnerable because neither mod_alias or mod_rewrite are configured or used. In order for an Urchin installation to be vulnerable, explicit unsupported changes to the webserver configuration would need to be made.
- Urchin Software Corporation has made updated urchinwebd binaries available on our web site at ftp://ftp.urchin.com/pub/support for those customers who wish to upgrade the binaries in their Urchin 4 distributions. These urchinwebd binaries are based on Apache 1.3.29, which is not vulnerable to the buffer overflows.