In this issue

OpenSSL is a commercial-grade, full-featured, and Open Source toolkit which implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL is commonly used in secure web servers based on Apache. A security audit of the OpenSSL code sponsored by DARPA found several buffer overflows which affect versions 0.9.7 and 0.9.6d and earlier. Of the problems found, those that directly affect Apache users include:

• The SSLv3 session ID supplied to a client from a malicious server could be oversized and overrun a buffer. This issue looks to be remotely exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to this issue.

• Various buffers used for storing ASCII representations of integers were too small on 64 bit platforms. This issue may be exploitable The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0655 to this issue.

• Portions of the SSL protocol data stream which include the lengths of structures which are being transferred may not be properly validated, allowing a malicious client to cause an application to crash or enter an infinite loop. It has not been verified if this issue could lead to further consequences such as remote code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0659 to this issue.

Patches for this issue are available from the OpenSSL site

The MM library provides an abstraction layer which allows related processes to share data easily. On systems where shared memory or other inter-process communication mechanisms are not available, the MM library emulates them using temporary files. MM is used in several operating systems to provide shared memory pools to Apache modules.

Versions of MM up to and including 1.1.3 open temporary files in an unsafe manner, allowing a malicious local user to cause an application which uses MM to overwrite any file to which it has write access.

Updated versions of MM are now available from the author. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0658 to this issue.

The subject of LDAP authentication for Apache 2.0 arose this week; currently, an LDAP module for 2.0 is hosted at apache.org in a separate CVS repository from Apache 2.0, though this project is little-known and has never been released as a standalone module. A proprietary LDAP module has also been developed independently by Covalent. Opinions were divided on whether to integrate the apache.org LDAP module into the main 2.0 distribution; the consensus may be that it is included in the "experimental" directory until it has matured.

The 2.0.40 release remains "imminent", with some discussion of whether an undisclosed security flaw in 2.0.39 should accelerate the schedule; the flaw itself was not made public but was stated to be a non-serious information leak. An issue delaying a new release concerns the wrapper in the APR library for the poll() system call which can currently cause performance problems in some configurations.

Paul Weinstein finished off his article on the main news of the O'Reilly Open Source Conference. Highlights included Milton Ngan from Weta Digital talking about the how open source tools are used to produce the special effects for Lord of the Rings. Internally they use Perl, mySQL as well as Apache and PHP. Read the Apache Week feature from the conference

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Securing Linux 101: Reasonable Steps to Detect and Prevent Blackhats" takes a look at five anecdotal lessons to supply you with the know-how to detect intruders and secure your Linux box. It also lists the sources to get more information about security.

James Goodwill dissects the server.xml file for Tomcat 4.0.4 in this article and walks us through its anatomy. After this you will be confident enough to customise the file to your own requirements.

A sample chapter of the "Apache Administrator's Handbook" is now available online. If you are interested to find out more, why not take a look at the book's companion website.