Memory corruption in Apache 1.3.29: Limited Urchin 5 Exposure


Urchin 5 ships with an embedded Apache webserver that provides access to the web-based Urchin administration and reporting functions. As reported in the following ISS security advisory:

Apache HTTP Server versions 1.3.29 and earlier running on non-32-bit processor architectures, memory corruption in certain authentication modules could allow a remote attacker to execute arbitrary code on the system.. Urchin 5.500 through Urchin 5.600 ship with Apache 1.3.29.

Impact on Urchin Customers

After careful examination of the fix and the threat, Urchin Software Corporation's position on this issue is that:

  1. Urchin 5 runs almost exclusively on 32-bit platforms, with the exception of 64-bit Sun SPARC systems.
  2. Urchin Software Corporation has made updated urchinwebd binaries available on our web site at for those customers who wish to upgrade the binaries in their Urchin 5 distributions. These urchinwebd binaries are based on Apache 1.3.31, which is not vulnerable this memory corruption problem.
  3. The next release of Urchin 5 will contain urchinwebd binaries that are based on Apache 1.3.31.

See Also