This week, new security issues have been announced that affect
version 2 of the Apache httpd server.
-
Apache versions 2.0.37 to 2.0.45 have a bug that can
cause Apache to crash. This bug can be triggered remotely through
mod_dav, mod_ssl, and possibly by
other mechanisms. In some circumstances this issue could lead to
remote code execution.
This issue was originally discovered by iDefense who reported
it to the Apache Software Foundation on 9th April 2003.
Investigation by the Apache security team and Joe Orton found that
this was bug that could be triggered by long strings being passed
to the Apache Portable Runtime (APR) apr_pvsprintf()
function. No exploits are known to currently exist for this
issue.
Even though fixes for this issue appeared in the new Apache
2.0.46 release earlier this week, specific details of the
vulnerability were withheld until May 30th.
The Common Vulnerabilities and Exposures project
has assigned the name
CAN-2003-0245
to this issue.
-
Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms are
vulnerable to a denial-of-service attack on the basic
authentication module. A bug in the configuration scripts caused
the apr_password_validate() function to be
thread-unsafe on platforms with crypt_r(), including AIX and Linux.
All versions of Apache 2.0 have this thread-safety problem on
platforms with no crypt_r() and no thread-safe crypt(), such as Mac
OS X and possibly others. When using a threaded MPM (which is not
the default on these platforms), this allows remote attackers to
create a denial of service which causes valid usernames and
passwords for Basic Authentication to fail until Apache is
restarted. This bug does not allow unauthorised
users to gain access to protected resources.
This issue was reported to the Apache Software Foundation by
John Hughes on the 25th April 2003.
The Common Vulnerabilities and Exposures project
has assigned the name
CAN-2003-0189
to this issue.
Apache 2.0.46 was released on 28th May 2003 and is
now the latest version of the Apache 2.0 server. The previous
release was 2.0.45, released on the 2nd April 2003.
See
what was new in Apache 2.0.45.
Apache 2.0.46 is
available for download.
This is a security, bug fix and minor upgrade release.
Due to security issues, any sites using versions prior to
Apache 2.0.46 should upgrade to Apache 2.0.46.
Read more
about the other security issues that affect Apache 2.0.
The following bugs were found in Apache 2.0.45 and have been
fixed in Apache 2.0.46:
-
mod_proxy: don't override the origin
server's Date header in proxied responses; fix a segfault when
multiple ProxyBlock directives are used
(BZ#19023)
-
mod_deflate: several fixes to prevent
attempts to compress content which is already compressed (BZ#19913, BZ#17797)
-
mod_rewrite: fix handling of absolute
URIs and ordering of content type checking (BZ#19626)
-
mod_autoindex: fix for use of wildcard
patterns (BZ#12596); use modern query string
separators (BZ#10880)
- Two fixes for handling of redirects: the source query
string will be appended to the redirect destination when
appropriate (BZ#10961); a redirect to a IPv6 literal
address will now work correctly (BZ#19207)
- Platform-specific changes: fix for a link problem on AIX
when mod_so is used (BZ#19012); the
Nagle algorithm is now disabled correctly on Windows
- Many small fixes for the build system;
binbuild.sh works again (BZ#18649);
libtool 1.5 is supported
- Other changes include fixes for bugs BZ#9427,
BZ#16907, and BZ#17135
In this section we highlight some of the articles on the web
that are of interest to Apache users.
In the
second instalment
of a series of articles about mod_perl 2.0, Geoffrey
Young demonstrates how he uses Apache-Test from the
Perl Framework component of the
Apache HTTP Test Project
to write his own test suite to ensure that his
Apache::Clean module really works. Apart from the
basics, he also shows you how to use the utility functions
provided by the Apache::TestUtil module to
facilitate the process of writing and debugging your tests.
"Towards Next Generation URLs"
looks at the pros and cons of complex, hard-to-read URLs and lists
a few methods to clean up those dirty URLs. The tips include using
mod_rewrite for Apache to rewrite URLs with
long query strings, mod_negotiation to
implement content negotiation, and
mod_speling to correct misspellings of URLs.
PHPBuilder takes a peek at
the new features of PHP 5
despite the fact that it is still in the development stage. It focuses on
three major features, namely object model, exceptions, and
namespaces, but warns that some of these features may change when
PHP 5 is finally released.
"Open Source CMS: Apache Gets Stable"
introduces the 1.0rc1 release of
Apache Lenya,
a Java Open-Source Content Management System based on XML and
XSLT. It requires J2SE, Tomcat, Ant and Cocoon, and offers features
such as revision control, scheduling, a built-in search engine,
separate staging areas, and workflow management.