The Apache Software Foundation has rolled out a patch for versions of its popular Apache HTTP Server to fix a potentially serious security flaw.

The buffer overflow flaw affects Apache httpd versions 1.3.26, 1.3.27, 1.3.28, 1.3.29 and 1.3.31, which were configured to act as proxy servers. Apache httpd 2.0 and other versions of Apache httpd 1.3 are unaffected.

An Apache Week advisory said the buffer overflow can be triggered by getting the mod_proxy feature to connect to a remote server and return an invalid content-length.

The vulnerability is rated "important," but the advisory warned that there is the possibility that it could be exploited to run arbitrary code.

"If you are running an Apache Web server, we'd recommend that you take a look at your configuration files and make sure that you have not inadvertently set up an open proxy. If you do not need your server to act as a proxy server, then make sure that the directive "ProxyRequests On" does not appear in your configuration file," Apache said.

The risk of code execution is high on older OpenBSD/FreeBSD distributions because of the internal implementation of memcpy, which re-reads the length value from the stack. On newer BSD distributions, it may be exploitable because the implementation of memcpy will write three arbitrary bytes to an attacker-controlled location, according to the alert.

Linux and UNIX vendors, including Gentoo Linux, OpenBSD, Debian and Red Hat, have all issued updates to protect against the Apache Server bug.