Thread View: gmane.comp.apache.apacheweek
1 messages
1 total messages
Started by Apache Week
Fri, 04 Apr 2003 17:06
Apache Week issue 324
Author: Apache Week
Date: Fri, 04 Apr 2003 17:06
Date: Fri, 04 Apr 2003 17:06
170 lines
8492 bytes
8492 bytes
APACHE WEEK
The essential weekly guide for users of the world's most popular Web server.
Issue 324: 4th April 2003
In this issue
* Security Reports
* In the news
* Apache 2.0.45 Released
Security Reports
This week a number of security issues have been announced that
affect versions of the Apache httpd server.
* Apache versions before Apache 2.0.45 have a significant Denial of
Service vulnerability. This issue only affects versions of Apache
2.0. Even though fixes for this issue appear in the new Apache
2.0.45 release, specific details of this vulnerability are being
withheld until April 8th. The Common Vulnerabilities and Exposures
project has assigned the name [1]CAN-2003-0132 to this issue.
* Apache on OS/2 up to and including Apache 2.0.45 have a Denial of
Service vulnerability. Full details have not yet been released,
but it is likely that any OS/2 binaries released for Apache 2.0.45
will already contain the fix. The Common Vulnerabilities and
Exposures project has assigned the name [2]CAN-2003-0134 to this
issue.
[3]A report sent to the Bugtraq mailing list last month found a
number of issues where terminal emulator software can be abused
when untrusted data is displayed. One source of untrusted data is
log files, and although certain versions of Apache 1.3 filter
escape sequences from access log files, no filtering is done on
error log files or Apache 2.0 access log files:
* Apache 1.3 up to and including 1.3.25 and Apache 2.0 up to and
including 2.0.45 do not filter terminal escape sequences from
access logs, which could make it easier for attackers to insert
those sequences into terminal emulators containing vulnerabilities
related to escape sequences. The Common Vulnerabilities and
Exposures project has assigned the name [4]CAN-2003-0083 to this
issue.
* Apache 1.3 and Apache 2.0 (all versions to date) do not filter
terminal escape sequences from error logs, which could make it
easier for attackers to insert those sequences into terminal
emulators containing vulnerabilities related to escape sequences.
The Common Vulnerabilities and Exposures project has assigned the
name [5]CAN-2003-0020 to this issue.
In the news
A number of news sources report that Oracle's Ellison
[6]anticipates the death of Windows. Larry Ellison, head of Oracle,
asserted that Microsoft had already had its web server "killed" by
Apache. He said Microsoft's Web server offering had been,
"slaughtered, wiped out, taken from market dominance to
irrelevance".
This history of the events is a little inaccurate however, as the
Apache Web server was first announced in February 1995, a year
before Microsoft IIS 1.0 [7]was even released. The Apache web
server has always been dominant, having a higher market share than
IIS according to surveys such as the monthly [8]Netcraft report.
Apache 2.0.45 Released
Apache 2.0.45 was released on 2^nd April 2003 and is now the latest
version of the Apache 2.0 server. The previous release was 2.0.44,
released on the 21^st January 2003. [9]See what was new in Apache
2.0.44.
[10]Apache 2.0.45 is available for download.
This is a security, bug fix and minor upgrade release. Due to
security issues, any sites using versions prior to Apache 2.0.45
should upgrade to Apache 2.0.45. [11]Read more about the other
security issues that affect Apache 2.0.
Security issues
* Apache 2.0 versions before Apache 2.0.45 have a significant Denial
of Service vulnerability. The specific details of this
vulnerability are being withheld until April 8th. The Common
Vulnerabilities and Exposures project has assigned the name
[12]CAN-2003-0132 to this issue.
* Apache 2.0 versions between 2.0.21 and 2.0.44 inclusive leak some
file descriptors to child processes such as CGI scripts, which can
allow the CGI script greater control over the server than is
necessary. [13]BZ#17206
Bugs fixed
The following bugs were found in Apache 2.0.44 and have been fixed
in Apache 2.0.45:
* mod_rewrite: several fixes for path handling, especially on
non-Unix platforms ([14]BZ#12902); prevent infinite loops in
internal redirects ([15]BZ#17462); prevent mod_proxy from escaping
URLs proxied by a rewrite rule
* mod_file_cache: several segfault fixes. ([16]BZ#16313)
* Several fixes for mod_ldap's result caching support
([17]BZ#12757); also added support for character set conversion to
mod_auth_ldap
* Fixes for potential memory leaks and filtering problems in
mod_deflate ([18]BZ#16046, [19]BZ#16134, [20]BZ#14451)
* mod_ssl: fix SSLMutex to allow selecting lock type ([21]BZ#8122);
fixes for 64-bit platforms; fix the SSLCertificateChain directive
to not skip the first certificate ([22]BZ#14560)
* Win32 specific: avoid consuming CPU cycles under load; fixed piped
access log
* apachectl fixes for use of ulimit on Tru64 and AIX
* Several fixes to handle misconfigurations more robustly
([23]BZ#17093, [24]BZ#9076)
* A fix for mod_auth_digest, which could produce incorrect
authentication challenges on non-Unix platforms if an
AuthDigestDomain directive was not used ([25]BZ#16937)
New features
* An RPM .spec file is now included
* mod_deflate supports configurable compression level, and accurate
logging of input and output bytes
* The CGI modules will now log diagnostic information for common
errors encountered when executing scripts (such as a permissions
problem)
______________________________________________________________
This issue brought to you by: Mark J Cox, Joe Orton
Comments or criticisms? Please email us at
[26]editors@apacheweek.com.
[27]Apache Week is Copyright 2003 [28]Red Hat, Inc.
References
1. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0132
2. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0134
3. http://marc.theaimsgroup.com/?l=bugtraq&m4612710031920&q=raw
4. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0083
5. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0020
6. http://www.theinquirer.net/?article76
7. http://windows.about.com/library/history/blhistory1996.htm
8. http://www.netcraft.co.uk/
9. http://www.apacheweek.com/features/apache2044
10. http://httpd.apache.org/download.cgi
11. http://www.apacheweek.com/features/security-20
12. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0132
13. http://nagoya.apache.org/bugzilla/show_bug.cgi?id206
14. http://nagoya.apache.org/bugzilla/show_bug.cgi?id902
15. http://nagoya.apache.org/bugzilla/show_bug.cgi?id462
16. http://nagoya.apache.org/bugzilla/show_bug.cgi?id313
17. http://nagoya.apache.org/bugzilla/show_bug.cgi?id757
18. http://nagoya.apache.org/bugzilla/show_bug.cgi?id046
19. http://nagoya.apache.org/bugzilla/show_bug.cgi?id134
20. http://nagoya.apache.org/bugzilla/show_bug.cgi?id451
21. http://nagoya.apache.org/bugzilla/show_bug.cgi?id22
22. http://nagoya.apache.org/bugzilla/show_bug.cgi?id560
23. http://nagoya.apache.org/bugzilla/show_bug.cgi?id093
24. http://nagoya.apache.org/bugzilla/show_bug.cgi?id76
25. http://nagoya.apache.org/bugzilla/show_bug.cgi?id937
26. mailto:editors@apacheweek.com
27. http://www.apacheweek.com/
28. http://www.redhat.com/
----------------------------------------------------------------------
To unsubscribe: https://listman.redhat.com/mailman/listinfo/apacheweek
or send the message "unsubscribe" to apacheweek-request@redhat.com
----------------------------------------------------------------------
Thread Navigation
This is a paginated view of messages in the thread with full content displayed inline.
Messages are displayed in chronological order, with the original post highlighted in green.
Use pagination controls to navigate through all messages in large threads.
Back to All Threads