Date: 03 April 2003
References: ESB-2003.0271 ESB-2003.0274 ESB-2003.0323 ESB-2003.0624
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0244 -- The Apache Software Foundation Announcement
Apache 2.0.45 Released
03 April 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache 2.0.45
Vendor: The Apache Software Foundation
Impact: Denial of Service
Access Required: Remote
CVE Names: CAN-2003-0134
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Apache 2.0.45 Released
The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the eighth public release of the Apache 2.0
HTTP Server. This Announcement notes the significant changes in
2.0.45 as compared to 2.0.44.
OS2 users; note that Apache 2.0 versions *including* 2.0.45 still
have a Denial of Service vulnerability that was identified and reported
by Robert Howard <rihoward@rawbw.com> that will fixed with the release
of 2.0.46, but is too important to delay announcement today. The patch
http://cvs.apache.org/viewcvs/apr/file_io/os2/filestat.c.diff?r1=1.34&r2=1.35
must be applied before building on OS2. This patch will already
be applied to all OS2 binaries released for Apache 2.0.45.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0134]
This version of Apache is principally a security and bug fix release.
A summary of the bug fixes is given at the end of this document.
Of particular note is that 2.0.45 addresses two security
vulnerabilities, both affecting all platforms.
Prior Apache 2.0 versions through 2.0.44 had a significant Denial of
Service vulnerability that was identified and reported by David Endler
<DEndler@iDefense.com>, and fixed with this release. The specific
details of this issue will be published by David Endler one week from
this release, on April 7th. No more specific information is disclosed
at this time, but all Apache 2.0 users are encouraged to upgrade now.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132]
This release eliminated leaks of several file descriptors to child
processes, such as CGI scripts, which could consitute a security threat
on servers that run untrusted CGI scripts. This issue was identified,
reported and addressed by Christian Kratzer <ck@cksoft.de> and
Bjoern A. Zeeb <bz@zabbadoz.net>.
The Apache Software Foundation would like to thank David Endler,
Christian Kratzer, Bjoern Zeeb and Robert Howard for the responsible
reporting of these issues.
Apache 2.0.42 and later releases mark a change in the Apache release
process, and a new level of stability in the 2.0 series. With the
release of Apache 2.0.42, we will make every effort to retain
forward compatibility so that upgrading along the 2.0 series should
be much easier. This compatibility extends from Apache release 2.0.42,
so users of that version or later should be able to upgrade without
changing configurations or updating DSO modules. (Users of earlier
releases will need to recompile all modules in order to upgrade
to 2.0.42 or later versions.)
We consider this release to be the best version of Apache available
and encourage users of all prior versions to upgrade.
Apache 2.0.45 source code is available for download from
http://www.apache.org/dist/httpd/
Apache 2.0.45 binary releases will become available for download from
http://www.apache.org/dist/httpd/binaries/
Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.
Apache 2.0.45 Major changes
Security vulnerabilities closed since Apache 2.0.44
*) SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability
identified by David Endler <DEndler@iDefense.com> on all platforms.
Details embargoed until their announcement on 7 April 2003.
*) SECURITY: Eliminated leaks of several file descriptors to child
processes, such as CGI scripts. This fix depends on the latest
APR library release 0.9.2, which is distributed with the httpd
source tarball for Apache 2.0.45. PR 17206
Bugs fixed and features added since Apache 2.0.44
*) Prevent endless loops of internal redirects in mod_rewrite by
aborting after exceeding a limit of internal redirects. The
limit defaults to 10 and can be changed using the RewriteOptions
directive. PR 17462.
*) Configurable compression level for mod_deflate.
*) Allow SSLMutex to select/use the full range of APR locking
mechanisms available to it (e.g. same choices as AcceptMutex.)
*) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot
be started on Unix because of such problems as bad permissions,
bad shebang line, etc.
*) Try to log an error if a piped log program fails and try to
restart a piped log program in more failure situations.
*) Added support for mod_auth_LDAP, with a new AuthLDAPCharsetConfig
directive, to convert extended characters in the user ID to UTF-8,
before authenticating against the LDAP directory.
*) No longer removes the Content-Length from responses via mod_proxy.
*) Enhance mod_isapi's WriteClient() callback to provide better emulation
for isapi extensions that use the first WriteClient() to send status
and headers, such as the foxisapi module.
*) Win32: Avoid busy wait (consuming all the CPU idle cycles) when
all worker threads are busy.
*) Introduced .pdb debugging symbols for Win32 release builds.
*) Fixed piped access logs on Win32.
*) Fix path handling of mod_rewrite, especially on non-unix systems.
There was some confusion between local paths and URL paths.
*) Added an rpm build script.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQCSAwUBPoqTdD6Pt/L4g0HZAQHw7APnbBm7gBnSixiXu/fvw6rIh0y/KP4e2r4Z
pp0lajvj+5vnzJm7ZUoI388a/P8Y2q4/YtW6bhggB7+w1O5eiIG6N91mcy/wjpmI
HUOWpxkY1eUQd0QECm1HP/7RARe7MpphQHZCGTbEUQjUUglv2IP+++uIsvo4YM2K
wtY/+z4=
=356p
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPoxH+yh9+71yA2DNAQEk2gP+NDb4dpbPF8t6coTQdBvv//9NA/hNrGIG
oQZ8I9NUUzmi4lsvdQt0WXs5VwoUoLAjIiu6YfhkXrqyWPrg63dtpXdXsEkB4Qy6
F37NypR3+iGqP+xOotCrgpEbw97WS7l1jH/vJuBB0dSdMa3yu7D5kwRntivKAnO8
vIAO4qU2GfU=
=poRU
-----END PGP SIGNATURE-----
|