Date: 11 July 2003
References: ESB-2003.0380 ESB-2003.0629 ESB-2003.0677
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0482 -- The Apache Software Foundation Announcement
Apache 2.0.47 Released
11 July 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache
Publisher: The Apache Software Foundation
Impact: Denial of Service
Reduced Security
Access Required: Remote
CVE Names: CAN-2003-0192, CAN-2003-0253, CAN-2003-0254
Ref: ESB-2003.0380
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Apache 2.0.47 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the tenth public release of the Apache 2.0
HTTP Server. This Announcement notes the significant changes in
2.0.47 as compared to 2.0.46.
This version of Apache is principally a security and bug fix release.
A summary of the bug fixes is given at the end of this document.
Of particular note is that 2.0.47 addresses four security
vulnerabilities:
Certain sequences of per-directory renegotiations and the SSLCipherSuite
directive being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the strong
one.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192]
Certain errors returned by accept() on rarely accessed ports could cause
temporal denial of service, due to a bug in the prefork MPM.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0253]
Denial of service was caused when target host is IPv6 but ftp proxy
server can't create IPv6 socket.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0254]
The server would crash when going into an infinite loop due to too many
subsequent internal redirects and nested subrequests.
[VU#379828]
The Apache Software Foundation would like to thank Saheed Akhtar and
Yoshioka Tsuneo for the responsible reporting of two of these issues.
This release is compatible with modules compiled for 2.0.42 and later
versions. We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.
Apache 2.0.47 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.
Apache 2.0.47 Major changes
Security vulnerabilities closed since Apache 2.0.46
*) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the
strong one. [Ben Laurie]
*) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
temporary denial of service when accept() on a rarely accessed port
returns certain errors. Reported by Saheed Akhtar
<S.Akhtar@talis.com>. [Jeff Trawick]
*) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
of service when target host is IPv6 but proxy server can't create
IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo
<tsuneo.yoshioka@f-secure.com>]
*) SECURITY [VU#379828] Prevent the server from crashing when entering
infinite loops. The new LimitInternalRecursion directive configures
limits of subsequent internal redirects and nested subrequests, after
which the request will be aborted. PR 19753 (and probably others).
[William Rowe, Jeff Trawick, André Malo]
Bugs fixed and features added since Apache 2.0.46
*) core_output_filter: don't split the brigade after a FLUSH bucket if
it's the last bucket. This prevents creating unneccessary empty
brigades which may not be destroyed until the end of a keepalive
connection.
[Juan Rivera <Juan.Rivera@citrix.com>]
*) Add support for "streamy" PROPFIND responses.
[Ben Collins-Sussman <sussman@collab.net>]
*) mod_cgid: Eliminate a double-close of a socket. This resolves
various operational problems in a threaded MPM, since on the
second attempt to close the socket, the same descriptor was
often already in use by another thread for another purpose.
[Jeff Trawick]
*) mod_negotiation: Introduce "prefer-language" environment variable,
which allows to influence the negotiation process on request basis
to prefer a certain language. [André Malo]
*) Make mod_expires' ExpiresByType work properly, including for
dynamically-generated documents. [Ken Coar, Bill Stoddard]
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/C2DDZjW2wN6IXdMRAm9BAKCBj7KgdN8sLTZpUFu5aVJTjyEJlQCePz3Y
QF51aRaqbVdSwZYxalnSC+Y=
=2mza
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPw4PGyh9+71yA2DNAQFhNgP9HcNaG4kbGldGUpWAG0OQilFQf2L4U/JW
kLeagee0B/5zJ4QFibyS/h/ZzdT24YBDTM3u6J+5ECzqQZBf0WBnswgVOoGSJCgR
FiaSTb7mf62C8rk+TM+NZatGbFOnAWtYLJDgR37ras61/o3l92ypALE6Eycbo2xR
9JJ1wp74GJo=
=doou
-----END PGP SIGNATURE-----
|