"Apache httpd 1.3.37, and 2.0.59 and 2.2.4 with the Prefork MPM module, allows local users to cause a denial of service by modifying the worker_score and process_score arrays to reference an arbitrary process ID, which is sent a SIGUSR1 signal from the master process, "SIGUSR1 killer."" Fixed upstream by http://svn.apache.org/viewvc?view=rev&rev=547987 Note that you'd need to have given local users the ability to run scripts (such as php, cgi) in order for them to kill arbitrary processes.
This issue only affects httpd 2.2.x and httpd 1.3.x, not httpd 2.0.x http://marc.info/?l=apache-httpd-dev&m=118252946632447&w=2
This issue was addressed in: Red Hat Application Stack: http://rhn.redhat.com/errata/RHSA-2007-0557.html Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0532.html http://rhn.redhat.com/errata/RHSA-2007-0662.html http://rhn.redhat.com/errata/RHSA-2007-0556.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0704
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html