The fix, for the Apache httpd server, comes five days after the ASF announced the existence of the bug and acknowledged the existence of a remote attack tool in the wild.
The ASF said it would issue a full fix in 48 hours. It was upstaged by the security team at the Debian GNU/Linux project which issued a fix for its users yesterday Australian time.
The bug meant that if a web server running Apache is sent a large number of requests for overlapping byte regions of a single file download, that server would run out of memory and be rendered unable to do its job.
Apache is by far the most widely used web server software, running nearly two-thirds of websites at last count.