Thread View: gmane.comp.apache.apacheweek
1 messages
1 total messages
Started by Apache Week
Fri, 30 May 2003 22:55
Apache Week issue 329
Author: Apache Week
Date: Fri, 30 May 2003 22:55
Date: Fri, 30 May 2003 22:55
196 lines
10080 bytes
10080 bytes
APACHE WEEK
The essential weekly guide for users of the world's most popular Web server.
Issue 329: 30th May 2003
In this issue
* Security Reports
* Apache 2.0.46 Released
* Featured articles
Security Reports
This week, new security issues have been announced that affect
version 2 of the Apache httpd server.
* Apache versions 2.0.37 to 2.0.45 have a bug that can cause Apache
to crash. This bug can be triggered remotely through mod_dav,
mod_ssl, and possibly by other mechanisms. In some circumstances
this issue could lead to remote code execution.
This issue was originally discovered by iDefense who reported it
to the Apache Software Foundation on 9th April 2003. Investigation
by the Apache security team and Joe Orton found that this was bug
that could be triggered by long strings being passed to the Apache
Portable Runtime (APR) apr_pvsprintf() function. No exploits are
known to currently exist for this issue.
Even though fixes for this issue appeared in the new Apache 2.0.46
release earlier this week, specific details of the vulnerability
were withheld until May 30th. The Common Vulnerabilities and
Exposures project has assigned the name [1]CAN-2003-0245 to this
issue.
* Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms are
vulnerable to a denial-of-service attack on the basic
authentication module. A bug in the configuration scripts caused
the apr_password_validate() function to be thread-unsafe on
platforms with crypt_r(), including AIX and Linux. All versions of
Apache 2.0 have this thread-safety problem on platforms with no
crypt_r() and no thread-safe crypt(), such as Mac OS X and
possibly others. When using a threaded MPM (which is not the
default on these platforms), this allows remote attackers to
create a denial of service which causes valid usernames and
passwords for Basic Authentication to fail until Apache is
restarted. This bug does not allow unauthorised users to gain
access to protected resources.
This issue was reported to the Apache Software Foundation by John
Hughes on the 25th April 2003. The Common Vulnerabilities and
Exposures project has assigned the name [2]CAN-2003-0189 to this
issue.
Apache 2.0.46 Released
Apache 2.0.46 was released on 28^th May 2003 and is now the latest
version of the Apache 2.0 server. The previous release was 2.0.45,
released on the 2^nd April 2003. [3]See what was new in Apache
2.0.45.
[4]Apache 2.0.46 is available for download.
This is a security, bug fix and minor upgrade release. Due to
security issues, any sites using versions prior to Apache 2.0.46
should upgrade to Apache 2.0.46. [5]Read more about the other
security issues that affect Apache 2.0.
Security issues
* Apache can be caused to crash in certain circumstances. This can
be triggered remotely through mod_dav, mod_ssl, and possibly other
mechanisms and could lead to remote code execution. The Common
Vulnerabilities and Exposures project has assigned the name
[6]CAN-2003-0245 to this issue.
* A build system problem in Apache 2.0.40 through 2.0.45 allows
remote attackers to cause a denial of access to authenticated
content when a threaded server is used. The Common Vulnerabilities
and Exposures project has assigned the name [7]CAN-2003-0189 to
this issue.
* Apache on OS/2 before Apache 2.0.46 has a Denial of Service
vulnerability relating to reserved device names. The Common
Vulnerabilities and Exposures project has assigned the name
[8]CAN-2003-0134 to this issue.
Bugs fixed
The following bugs were found in Apache 2.0.45 and have been fixed
in Apache 2.0.46:
* mod_proxy: don't override the origin server's Date header in
proxied responses; fix a segfault when multiple ProxyBlock
directives are used ([9]BZ#19023)
* mod_deflate: several fixes to prevent attempts to compress content
which is already compressed ([10]BZ#19913, [11]BZ#17797)
* mod_rewrite: fix handling of absolute URIs and ordering of content
type checking ([12]BZ#19626)
* mod_autoindex: fix for use of wildcard patterns ([13]BZ#12596);
use modern query string separators ([14]BZ#10880)
* Two fixes for handling of redirects: the source query string will
be appended to the redirect destination when appropriate
([15]BZ#10961); a redirect to a IPv6 literal address will now work
correctly ([16]BZ#19207)
* Platform-specific changes: fix for a link problem on AIX when
mod_so is used ([17]BZ#19012); the Nagle algorithm is now disabled
correctly on Windows
* Many small fixes for the build system; binbuild.sh works again
([18]BZ#18649); libtool 1.5 is supported
* Other changes include fixes for bugs [19]BZ#9427, [20]BZ#16907,
and [21]BZ#17135
New features
* Add a new directive, AllowEncodedSlashes, to allow use of URIs
which contain encoded slash characters: see [22]previous coverage
of this feature
* Enable core dumps on Linux 2.4 platforms when Apache is started
root, when CoreDumpDirectory is used. see [23]previous discussion
of this issue
* Allow logging thread ID as well as process ID from mod_log_config
Featured articles
In this section we highlight some of the articles on the web that
are of interest to Apache users.
In the [24]second instalment of a series of articles about mod_perl
2.0, Geoffrey Young demonstrates how he uses Apache-Test from the
Perl Framework component of the [25]Apache HTTP Test Project to
write his own test suite to ensure that his Apache::Clean module
really works. Apart from the basics, he also shows you how to use
the utility functions provided by the Apache::TestUtil module to
facilitate the process of writing and debugging your tests.
[26]"Towards Next Generation URLs" looks at the pros and cons of
complex, hard-to-read URLs and lists a few methods to clean up
those dirty URLs. The tips include using mod_rewrite for Apache to
rewrite URLs with long query strings, mod_negotiation to implement
content negotiation, and mod_speling to correct misspellings of
URLs.
PHPBuilder takes a peek at [27]the new features of PHP 5 despite
the fact that it is still in the development stage. It focuses on
three major features, namely object model, exceptions, and
namespaces, but warns that some of these features may change when
PHP 5 is finally released.
[28]"Open Source CMS: Apache Gets Stable" introduces the 1.0rc1
release of [29]Apache Lenya, a Java Open-Source Content Management
System based on XML and XSLT. It requires J2SE, Tomcat, Ant and
Cocoon, and offers features such as revision control, scheduling, a
built-in search engine, separate staging areas, and workflow
management.
______________________________________________________________
This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan
Comments or criticisms? Please email us at
[30]editors@apacheweek.com.
[31]Apache Week is Copyright 2003 [32]Red Hat, Inc.
References
1. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĂŠN-2003-0245
2. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĂŠN-2003-0189
3. http://www.apacheweek.com/features/apache2045
4. http://httpd.apache.org/download.cgi
5. http://www.apacheweek.com/features/security-20
6. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĂŠN-2003-0245
7. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĂŠN-2003-0189
8. http://cve.mitre.org/cgi-bin/cvename.cgi?nameĂŠN-2003-0134
9. http://nagoya.apache.org/bugzilla/show_bug.cgi?id023
10. http://nagoya.apache.org/bugzilla/show_bug.cgi?id913
11. http://nagoya.apache.org/bugzilla/show_bug.cgi?id797
12. http://nagoya.apache.org/bugzilla/show_bug.cgi?id626
13. http://nagoya.apache.org/bugzilla/show_bug.cgi?id596
14. http://nagoya.apache.org/bugzilla/show_bug.cgi?id880
15. http://nagoya.apache.org/bugzilla/show_bug.cgi?id961
16. http://nagoya.apache.org/bugzilla/show_bug.cgi?id207
17. http://nagoya.apache.org/bugzilla/show_bug.cgi?id012
18. http://nagoya.apache.org/bugzilla/show_bug.cgi?id649
19. http://nagoya.apache.org/bugzilla/show_bug.cgi?id”27
20. http://nagoya.apache.org/bugzilla/show_bug.cgi?id907
21. http://nagoya.apache.org/bugzilla/show_bug.cgi?id135
22. http://www.apacheweek.com/issues/02-11-08#dev
23. http://www.apacheweek.com/issues/03-04-25#dev
24. http://www.perl.com/pub/a/2003/05/22/testing.html
25. http://httpd.apache.org/test/
26. http://evolt.org/article/Towards_Next_Generation_URLs/20/60159/index.html
27. http://www.phpbuilder.com/columns/argerich20030411.php3
28. http://www.content-wire.com/FreshPicks/Index.cfm?ccs†&cs&40
29. http://cocoon.apache.org/lenya/
30. mailto:editors@apacheweek.com
31. http://www.apacheweek.com/
32. http://www.redhat.com/
----------------------------------------------------------------------
To unsubscribe visit https://www.redhat.com/mailman/listinfo/apacheweek
or send the message "unsubscribe" to apacheweek-request@redhat.com
----------------------------------------------------------------------
Thread Navigation
This is a paginated view of messages in the thread with full content displayed inline.
Messages are displayed in chronological order, with the original post highlighted in green.
Use pagination controls to navigate through all messages in large threads.
Back to All Threads