A security vulnerability has been found in the Apache Web server that
affects all versions of Apache 1.2 since Apache 1.2.2, all versions of
Apache 1.3 prior to Apache 1.3.26, and versions of Apache 2.0 prior to
Apache 2.0.39. The severity of the vulnerability varies across different
versions of Apache and which platform is used; extending from a relatively
harmless increase in system resources through to denial of service attacks.
In some cases a remote exploit may be possible.
The Apache Software Foundation has released an updated
Official Security Advisory. The original can be found at
BugTraq.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2002-0392 to this issue.
Our summary of the issue:
- If you are using Apache 1.3 on 32-bit Unix platforms then the effects
of this vulnerability are minor. A remote attacker can cause the child
process that is processing their request to die. The Apache parent process
will eventually get around to replacing the child when required.
Update: It has been found that some 32-bit platforms are vulnerable
and can be remotely exploited
- If you are using Apache 1.3 on 64-bit Unix platforms then the effects
depend on the platform. It may be possible on some 64-bit platforms
for a remote attacker to remotely exploit the vulnerability and run
arbitrary commands as the Apache user.
- Apache 1.3 on Windows is remotely exploitable. An attacker can
remotely exploit the vulnerability and run arbitrary commands on the
server
- Apache 2.0 is not remotely exploitable, but the effects can
range from the minimal child replacement to more severe denial
of service attacks depending on the platform and process model
in use
All users of Apache are advised to upgrade to either Apache 1.3.26 or
Apache 2.0.39 available from httpd.apache.org
The security issue got a fair amount of media coverage, with Apache
Week's own Mark Cox providing a number of quotes (some of which
were reported accurately too!).
Rather than give yet another
version of events here in Apache Week if you are interested in how the
flaw was found and the controversy over the reporting of the issues
see our favourite write-up,
"Apache admins screwed by premature vuln report"
by Thomas C Greene at The Register.
We also found the following articles:
Apache 1.3.26 was released on 18th June 2002 and is
now the latest version of the Apache 1.3 server. The previous
release was 1.3.24, released on the 22nd March 2002.
See
what was new in Apache 1.3.24. Apache 1.3.25 was never
released.
Apache 1.3.26 is available in source form for compiling on
Unix or Windows, for download from the main Apache site
or from any mirror
download site.
This is a security, bug fix and minor upgrade release.
Due to security issues, any sites using versions prior to
Apache 1.3.26 should upgrade to Apache 1.3.26.
Read more
about the other security issues that affect Apache 1.3.
The main new features in 1.3.26 (compared to 1.3.24) are:
- Add text/xml, application/xhtml+xml,
audio/mpeg, and video/quicktime
mime types to the mime types magic file. PR#7730
- Added a -F flag which causes the supervisor process to
no longer fork down and detach and instead stay attached to
the tty. This allows integration with daemontools. PR#7628
The following bugs were found in Apache 1.3.24 and have been
fixed in Apache 1.3.26:
- Allow child processes sufficient time for cleanups but making
ap_select in reclaim_child_processes more "resistant" to
signal interrupts. BZ#8176
- In Darwin, place dynamically loaded
Apache extensions' public symbols into the global symbol
table. This allows dynamically loaded PHP extensions.
- Fix for a problem in mod_rewrite which would lead to 400 Bad Request
responses for rewriting rules which resulted in a local path.
Note: This will also reject invalid requests as issued by
Netscape-4.x Roaming Profiles (on a DAV-enabled server)
- Recognize platform-specific root directories (other than
leading slash) in mod_rewrite for filename rewrite rules.
BZ#7492
- Disallow anything but whitespace on the request line after the
HTTP/x.y protocol string to prevent arbitrary user input from
ending up in the access_log and error_log. Also control characters
are now escaped.
- A large number of fixes in mod_proxy including: adding support
for dechunking chunked responses, correcting a timeout problem
which would force long or slow POST requests to close after 300
seconds PR#7552, adding "X-Forwarded" headers, dealing correctly with the
multiple-cookie header bug, ability to handle unexpected
100-continue responses sent during PUT or POST commands, and a
change to tighten up the Server header overwrite bug-fix.
Apache 2.0.39 was released on 18th June 2002 and is now
the latest version of the Apache server. This is the third stable
release of Apache 2.0, following up on 2.0.36 which was released on
8th May 2002. Read our special
feature for more information about the history of Apache
2.0.
Apache 2.0.39 is available in source form for compiling on Unix or
Windows, for download from the main Apache site or from
any mirror download
site.
This is a security, bug fix and minor upgrade release.
Due to security issues, any sites using versions of Apache 2
prior to
Apache 2.0.39 should upgrade to Apache 2.0.39.
The new features in this release (added since 2.0.36) are:
- Integration of apachectl functionality into
httpd using the -k
start|restart|graceful|stop option.
-
mod_ssl now respects the standard logging
directives; the SSLLog and
SSLLogLevel directives have been deprecated.
The bugs fixed in this release include:
- Semaphore permission handling problems which meant that on some
platforms, mod_ssl would stop serving requests after
a period of time. BZ#8124 (The bug also affects
mod_rewrite if RewriteLogLevel
is set above 0).
- Use of random maps with mod_rewrite is now fixed
(BZ#9770).
- Ignore errors from mutexes (using certain mutex types) during a graceful
restart, in the prefork MPM.
- Fix handling of nested if statements in mod_include
(BZ#9866)
- The +OptRenegotiate option has been fixed in mod_ssl
- SSL CONNECT tunnelling has been fixed in
mod_proxy (BZ#8903)
- Using mod_userdir together with ScriptAlias
to enable CGI in home directories is fixed (BZ#8841)
-
mod_deflate changes:
fix for corrupted output BZ#9014, and not compressing
already-compressed content BZ#9222
-
apxs changes: fix warnings from unknown -q
options (BZ#9316), use correct directory locations
(BZ#8869, BZ#8453, and more (BZ#9316)
The following platform-specific changes have been made:
- fix 'make install' on ReliantUnix
- for Win32: fix ServerRoot handling on Win32,
and many improvements to the mod_isapi module
- fix to not open a window for CGI programs on Win32/Netware
- fix corruption of binary files when using CygWin (BZ#9185)
- an unserialized accept() can be used in AIX 4.3.2 and above