In this issue

A security vulnerability has been found in the Apache Web server that affects all versions of Apache 1.2 since Apache 1.2.2, all versions of Apache 1.3 prior to Apache 1.3.26, and versions of Apache 2.0 prior to Apache 2.0.39. The severity of the vulnerability varies across different versions of Apache and which platform is used; extending from a relatively harmless increase in system resources through to denial of service attacks. In some cases a remote exploit may be possible. The Apache Software Foundation has released an updated Official Security Advisory. The original can be found at BugTraq. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2002-0392 to this issue.

Our summary of the issue:

• If you are using Apache 1.3 on 32-bit Unix platforms then the effects of this vulnerability are minor. A remote attacker can cause the child process that is processing their request to die. The Apache parent process will eventually get around to replacing the child when required. Update: It has been found that some 32-bit platforms are vulnerable and can be remotely exploited
• If you are using Apache 1.3 on 64-bit Unix platforms then the effects depend on the platform. It may be possible on some 64-bit platforms for a remote attacker to remotely exploit the vulnerability and run arbitrary commands as the Apache user.
• Apache 1.3 on Windows is remotely exploitable. An attacker can remotely exploit the vulnerability and run arbitrary commands on the server
• Apache 2.0 is not remotely exploitable, but the effects can range from the minimal child replacement to more severe denial of service attacks depending on the platform and process model in use

All users of Apache are advised to upgrade to either Apache 1.3.26 or Apache 2.0.39 available from httpd.apache.org

The security issue got a fair amount of media coverage, with Apache Week's own Mark Cox providing a number of quotes (some of which were reported accurately too!). Rather than give yet another version of events here in Apache Week if you are interested in how the flaw was found and the controversy over the reporting of the issues see our favourite write-up, "Apache admins screwed by premature vuln report" by Thomas C Greene at The Register.

We also found the following articles:

• "CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability"
• "The Apache vulnerability, full disclosure, and monocultures" at LWN.net
• "Apache Web Server Security Alert and ISS" by Eric Lubow at LinuxSecurity.com
• "Miscommunication after flaw found in Apache server software" by D. Ian Hopper at The Nando Times and at WashingtonPost.com
• "Two security alerts point to Apache Web Server flaws" by Todd R. Weiss at ComputerWorld
• "Apache Chunk Handling Bug Detected" by Ryan Naraine at InternetNews.com
• "Experts warn of major hole in Apache Web server" by Joris Evers at InfoWorld
• "Apache hole is an open door to hackers" at Silicon.com
• "Security alerts highlight Apache Web Server flaws" at ComputerWeekly CW360
• "Apache hole puts millions at risk" by Robert Jaques at vnunet.com
• "Security warning too quick for comfort?" by Robert Lemos at CNET News.com and at ZD Net Tech News
• "Apache Vulnerability Announced" at Slashdot.org
• "Remote Compromise Vulnerability in Apache HTTP Server" as reported by ISS X-Force at BugTraq
• ISS X-Force response at BugTraq

Apache 1.3.26 was released on 18^th June 2002 and is now the latest version of the Apache 1.3 server. The previous release was 1.3.24, released on the 22^nd March 2002. See what was new in Apache 1.3.24. Apache 1.3.25 was never released.

Apache 1.3.26 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 1.3.26 should upgrade to Apache 1.3.26. Read more about the other security issues that affect Apache 1.3.

• Fix the chunked encoding security vulnerability. (CVE-2002-0392)

The main new features in 1.3.26 (compared to 1.3.24) are:

• Add text/xml, application/xhtml+xml, audio/mpeg, and video/quicktime mime types to the mime types magic file. PR#7730
• Added a -F flag which causes the supervisor process to no longer fork down and detach and instead stay attached to the tty. This allows integration with daemontools. PR#7628

The following bugs were found in Apache 1.3.24 and have been fixed in Apache 1.3.26:

• Allow child processes sufficient time for cleanups but making ap_select in reclaim_child_processes more "resistant" to signal interrupts. BZ#8176
• In Darwin, place dynamically loaded Apache extensions' public symbols into the global symbol table. This allows dynamically loaded PHP extensions.
• Fix for a problem in mod_rewrite which would lead to 400 Bad Request responses for rewriting rules which resulted in a local path. Note: This will also reject invalid requests as issued by Netscape-4.x Roaming Profiles (on a DAV-enabled server)
• Recognize platform-specific root directories (other than leading slash) in mod_rewrite for filename rewrite rules. BZ#7492
• Disallow anything but whitespace on the request line after the HTTP/x.y protocol string to prevent arbitrary user input from ending up in the access_log and error_log. Also control characters are now escaped.
• A large number of fixes in mod_proxy including: adding support for dechunking chunked responses, correcting a timeout problem which would force long or slow POST requests to close after 300 seconds PR#7552, adding "X-Forwarded" headers, dealing correctly with the multiple-cookie header bug, ability to handle unexpected 100-continue responses sent during PUT or POST commands, and a change to tighten up the Server header overwrite bug-fix.

Apache 2.0.39 was released on 18^th June 2002 and is now the latest version of the Apache server. This is the third stable release of Apache 2.0, following up on 2.0.36 which was released on 8^th May 2002. Read our special feature for more information about the history of Apache 2.0.

Apache 2.0.39 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions of Apache 2 prior to Apache 2.0.39 should upgrade to Apache 2.0.39.

• Fix the chunked encoding security vulnerability. (CVE-2002-0392)

The new features in this release (added since 2.0.36) are:

• Integration of apachectl functionality into httpd using the -k start|restart|graceful|stop option.
• mod_ssl now respects the standard logging directives; the SSLLog and SSLLogLevel directives have been deprecated.

The bugs fixed in this release include:

• Semaphore permission handling problems which meant that on some platforms, mod_ssl would stop serving requests after a period of time. BZ#8124 (The bug also affects mod_rewrite if RewriteLogLevel is set above 0).
• Use of random maps with mod_rewrite is now fixed (BZ#9770).
• Ignore errors from mutexes (using certain mutex types) during a graceful restart, in the prefork MPM.
• Fix handling of nested if statements in mod_include (BZ#9866)
• The +OptRenegotiate option has been fixed in mod_ssl
• SSL CONNECT tunnelling has been fixed in mod_proxy (BZ#8903)
• Using mod_userdir together with ScriptAlias to enable CGI in home directories is fixed (BZ#8841)
• mod_deflate changes: fix for corrupted output BZ#9014, and not compressing already-compressed content BZ#9222
• apxs changes: fix warnings from unknown -q options (BZ#9316), use correct directory locations (BZ#8869, BZ#8453, and more (BZ#9316)

The following platform-specific changes have been made:

• fix 'make install' on ReliantUnix
• for Win32: fix ServerRoot handling on Win32, and many improvements to the mod_isapi module
• fix to not open a window for CGI programs on Win32/Netware
• fix corruption of binary files when using CygWin (BZ#9185)
• an unserialized accept() can be used in AIX 4.3.2 and above