[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Apache Week issue 337



                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                        Issue 337: 7th November 2003

                                 In this issue

     * Apache httpd 2.0.48 Released
     * Apache httpd 1.3.29 Released

                         Apache httpd 2.0.48 Released

     Apache  httpd  2.0.48 was released on 29^th October 2003 and is now
     the  latest  version  of the httpd 2.0 server. The previous release
     was 2.0.47, released on the 10^th July 2003. [1]See what was new in
     Apache httpd 2.0.47.

     [2]Apache httpd 2.0.48 is available for download.

     This  is  a  security,  bug  fix  and minor upgrade release. Due to
     security  issues,  any  sites using versions of 2.0 prior to Apache
     httpd  2.0.48  should  upgrade to Apache httpd 2.0.48. [3]Read more
     about the other security issues that affect 2.0.

Security issues

     * Fix issues in the mod_cgid module (usually only used with threaded
       MPMs  on  Unix)  which could result in script output being sent to
       the wrong client. The Common Vulnerabilities and Exposures project
       has assigned the name [4]CAN-2003-0789 to this issue.
     * Fix  buffer  overflows in the handling of regular expressions from
       configuration  files in mod_alias and mod_rewrite. To exploit this
       issue  an  attacker  would  need  to  have the ability to write to
       Apache  configuration  files  such  as  .htaccess or httpd.conf. A
       carefully-crafted  configuration  file  can  cause  an exploitable
       buffer  overflow and would allow the attacker to execute arbitrary
       code  in the context of the server. The Common Vulnerabilities and
       Exposures  project  has assigned the name [5]CAN-2003-0542 to this
       issue.

Bugs fixed

     The  following  bugs were found in httpd 2.0.47 and have been fixed
     in httpd 2.0.48:
     * mod_include:   fix   possible   segfault   when  processing  error
       conditions  ([6]BZ#23836); fix three bugs which could cause output
       corruption with some input documents ([7]BZ#21095)
     * mod_rewrite:  fix  log corruption on platforms using flock locking
       (e.g. FreeBSD); fix support for [P] rewrites ([8]BZ#13946)
     * mod_ssl:    fix    support    for    CLIENT_CERT_CHAIN   variables
       ([9]BZ#21371),  fix  possible segfault after renegotiation failure
       ([10]BZ#21370), fix FakeBasicAuth when processing subrequests
     * mod_deflate: fix cases where compressed content could be sent to a
       client which did not request it ([11]BZ#21523); fix compression of
       empty responses; fix unnecessary buffering of compressed responses
     * Fix  handling  of <Foo>...</Foo> containers in configuration files
       ([12]covered previously)
     * Fix  infinite  recursion  if  an  Include  directive is used for a
       directory  containing  a file with a name which contained wildcard
       characters ([13]BZ#22194)
     * mod_cgid:  fix  bug where a script could be terminated prematurely
       after a different request ends
     * mod_cache: fix handling of max-age, smax-age and expires tokens to
       comply  with  RFC  2616;  fix  to  allow  caching response with an
       Expires header but no Etag or Last-Modified ([14]BZ#23130)
     * mod_usertrack:  fix  false  positives in matching cookies used for
       user tracking ([15]BZ#16661)

New features

     * The  mime.types file has been updated to the latest types from the
       IANA and W3c
     * mod_ext_filter exports additional environment variables for use in
       filter programs ([16]BZ#20944)

                         Apache httpd 1.3.29 Released

     Apache  httpd  1.3.29 was released on 29^th October 2003 and is now
     the  latest  version  of  the Apache httpd 1.3 server. The previous
     release  was  1.3.28, released on the 18^th July 2002. [17]See what
     was new in Apache httpd 1.3.28.

     [18]Apache httpd 1.3.29 is available for download

     This  is  a  security,  bug  fix  and minor upgrade release. Due to
     security issues, any sites using versions of Apache httpd 1.3 prior
     to  Apache  httpd  1.3.29  should  upgrade  to Apache httpd 1.3.29.
     [19]Read  more  about  the other security issues that affect Apache
     httpd 1.3.

Security issues

     * Fix  buffer  overflows in the handling of regular expressions from
       configuration  files in mod_alias and mod_rewrite. To exploit this
       issue  an  attacker  would  need  to  have the ability to write to
       Apache  configuration  files  such  as  .htaccess or httpd.conf. A
       carefully-crafted  configuration  file  can  cause  an exploitable
       buffer  overflow and would allow the attacker to execute arbitrary
       code  in the context of the server. The Common Vulnerabilities and
       Exposures  project has assigned the name [20]CAN-2003-0542 to this
       issue.

Bugs fixed

     The following bugs have been fixed in 1.3.29:
     * fix  a  bug  introduced  in 1.3.28 where zombie processes could be
       left when using CGI scripts with suexec
     * fix  a  bug introduced in 1.3.28 where some file descriptors would
       be  closed  twice;  this  could  cause  problems  particularly for
       third-party  modules  which  keep  database  sockets  open  across
       several requests.
     * fix  a  connection  handling problem when a redirect is sent as an
       error document response.
     * mod_proxy: fix support for reverse proxying an FTP site
     * mod_usertrack:  fix  false  positives in matching cookies used for
       user tracking ([21]BZ#16661)
       ______________________________________________________________

     This issue brought to you by: Mark J Cox, Joe Orton
     Comments or criticisms? Please email us at
     [22]editors apacheweek com 

     [23]Apache Week is Copyright 2003 [24]Red Hat, Inc.

References

   1. http://www.apacheweek.com/issues/03-07-11#apache2047
   2. http://httpd.apache.org/download.cgi
   3. http://www.apacheweek.com/features/security-20
   4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789
   5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542
   6. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23836
   7. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21095
   8. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13946
   9. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21371
  10. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21370
  11. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21523
  12. http://www.apacheweek.com/issues/031017#dev
  13. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22194
  14. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23130
  15. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16661
  16. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20944
  17. http://www.apacheweek.com/issues/03-07-25#apache1328
  18. http://httpd.apache.org/download.cgi#apache13
  19. http://www.apacheweek.com/features/security-13
  20. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542
  21. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16661
  22. mailto:editors apacheweek com
  23. http://www.apacheweek.com/
  24. http://www.redhat.com/

----------------------------------------------------------------------
To unsubscribe visit https://www.redhat.com/mailman/listinfo/apacheweek
or send the message   "unsubscribe"  to   apacheweek-request redhat com
----------------------------------------------------------------------




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]