Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4604
HistoryMay 29, 2003 - 12:00 a.m.

[SECURITY] [ANNOUNCE] Apache 2.0.46 released

2003-05-2900:00:00
vulners.com
57

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                   Apache 2.0.46 Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the ninth public release of the Apache 2.0
HTTP Server. This Announcement notes the significant changes in
2.0.46 as compared to 2.0.45.

This version of Apache is principally a security and bug fix release.
A summary of the bug fixes is given at the end of this document.
Of particular note is that 2.0.46 addresses two security
vulnerabilities:

Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
certain circumstances. This can be triggered remotely through mod_dav
and possibly other mechanisms. The crash was originally reported by
David Endler <[email protected]> and was researched and fixed by
Joe Orton <[email protected]>. Specific details and an analysis of the
crash will be published Friday, May 30. No more specific information
is disclosed at this time, but all Apache 2.0 users are encouraged to
upgrade now.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]

Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
vulnerable to a denial-of-service attack on the basic authentication
module, which was reported by John Hughes <[email protected]>.
A bug in the configuration scripts caused the apr_password_validate()
function to be thread-unsafe on platforms with crypt_r(), including
AIX and Linux. All versions of Apache 2.0 have this thread-safety
problem on platforms with no crypt_r() and no thread-safe crypt(),
such as Mac OS X and possibly others. When using a threaded MPM (which
is not the default on these platforms), this allows remote attackers
to create a denial of service which causes valid usernames and
passwords for Basic Authentication to fail until Apache is restarted.
We do not believe this bug could allow unauthorized users to gain
access to protected resources.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]

The Apache Software Foundation would like to thank David Endler
and John Hughes for the responsible reporting of these issues.

This release is compatible with modules compiled for 2.0.42 and later
versions. We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.

Apache 2.0.46 is available for download from

 http://httpd.apache.org/download.cgi

Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.

Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see

 http://httpd.apache.org/docs-2.0/new_features_2_0.html

When upgrading or installing this version of Apache, please keep
in mind the following:

If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.

                   Apache 2.0.46 Major changes

Security vulnerabilities closed since Apache 2.0.45

*&#41; SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered
   remotely through mod_dav and possibly other mechanisms, causing
   an Apache child process to crash.  The crash was first reported
   by David Endler &lt;[email protected]&gt; and was researched and
   fixed by Joe Orton &lt;[email protected]&gt;.  Details will be released
   on 30 May 2003.

*&#41; SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
   affecting basic authentication on Unix platforms related to
   thread-safety in apr_password_validate&#40;&#41;.  The problem was reported
   by John Hughes &lt;[email protected]&gt;

Bugs fixed and features added since Apache 2.0.45

*&#41; Fix for mod_dav.  Call the &#39;can_be_activity&#39; callback, if provided,
   when a MKACTIVITY request comes in.
   [Ben Collins-Sussman &lt;[email protected]&gt;]

*&#41; Perform run-time query in apxs for apr and apr-util&#39;s includes.
   [Justin Erenkrantz]

*&#41; run libtool from the apr install directory &#40;in case that is different
   from the apache install directory&#41; [Jeff Trawick]

*&#41; configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]

*&#41; If mod_mime_magic does not know the content-type, do not attempt to
   guess.  PR 16908.  [Andrew Gapon &lt;[email protected]&gt;]

*&#41; ssl session caching&#40;shmht&#41; : Fix a SEGV problem with SHMHT session
   caching. PR 17864.
   [Andreas Leimbacher &lt;[email protected]&gt;, Madhusudan Mathihalli]

*&#41; Add a delete flag to htpasswd.
   [Thom May]

*&#41; Fix mod_rewrite&#39;s handling of absolute URIs. The escaping routines
   now work scheme dependent and the query string will only be
   appended if supported by the particular scheme.  [Andrй Malo]

*&#41; Add another check for already compressed content in mod_deflate.
   PR 19913. [Tsuyoshi SASAMOTO &lt;[email protected]&gt;]

*&#41; Fixes for VPATH builds; copying special.mk and any future .mk files
   from the source tree as well as the build tree &#40;now creates a usable
   configuration for apxs&#41;, and eliminated redundant -I&#39;nclude paths.
   [William Rowe]

*&#41; Code fixes, constness corrections and ssl_toolkit_compat.h updates
   for SSLC and OpenSSL toolkit compatibility.  Still work remains to
   be done to cripple features based on the limitations of RSA&#39;s binary
   distribution of their SSL-C toolkit.
   [William Rowe, Madhusudan Mathihalli, Jeff Trawick]

*&#41; Linux 2.4+: If Apache is started as root and you code
   CoreDumpDirectory, coredumps are enabled via the prctl&#40;&#41; syscall.
   [Greg Ames]

*&#41; ap_get_mime_headers_core: allocate space for the trailing null
   when folding is in effect.
   PR 18170 [Peter Mayne &lt;PeterMayne@SPAM_SUX.ap.spherion.com&gt;]

*&#41; Fix --enable-mods-shared=most and other variants.  [Aaron Bannert]

*&#41; mod_log_config: Add the ability to log the id of the thread
   processing the request via new &#37;P formats.  [Jeff Trawick]

*&#41; Use appropriate language codes for Czech &#40;cs&#41; and Traditional Chinese
   &#40;zh-tw&#41; in default config files. PR 9427.  [Andrй Malo]

*&#41; mod_auth_ldap: Use generic whitespace character class when parsing
   &quot;require&quot; directives, instead of literal spaces only. PR 17135.
   [Andrй Malo]

*&#41; Hook mod_rewrite&#39;s type checker before mod_mime&#39;s one. That way the
   RewriteRule [T=...] Flag should work as expected now. PR 19626.
   [Andrй Malo]

*&#41; htpasswd: Check the processed file on validity. If a line is not empty
   and not a comment, it must contain at least one colon. Otherwise exit
   with error code 7. [Kris Verbeeck &lt;[email protected]&gt;, Thom May]

*&#41; Fix a problem that caused httpd to be linked with incorrect flags
   on some platforms when mod_so was enabled by default, breaking
   DSOs on AIX.  PR 19012  [Jeff Trawick]

*&#41; By default, use the same CC and CPP with which APR was built.
   The user can override with CC and CPP environment variables.
   [Jeff Trawick]

*&#41; Fix ap_construct_url&#40;&#41; so that it surrounds IPv6 literal address
   strings with [].  This fixes certain types of redirection.
   PR 19207.  [Jeff Trawick]

*&#41; forward port of buffer overflow fixes for htdigest. [Thom May]

*&#41; Added AllowEncodedSlashes directive to permit control of whether
   the server will accept encoded slashes &#40;&#39;&#37;2f&#39;&#41; in the URI path.
   Default condition is off &#40;the historical behaviour&#41;.  This permits
   environments in which the path-info needs to contain encoded
   slashes.  PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639.
   [Ken Coar]

*&#41; When using Redirect in directory context, append requested query
   string if there&#39;s no one supplied by configuration. PR 10961.
   [Andrй Malo]

*&#41; Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
   the pattern will not always match as desired. PR 12596.
   [Andrй Malo]

*&#41; mod_autoindex now emits and accepts modern query string parameter
   delimiters &#40;;&#41;. Thus column headers no longer contain unescaped
   ampersands. PR 10880  [Andrй Malo]

*&#41; Enable ap_sock_disable_nagle for Windows. This along with the
   addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle
   to be disabled for Windows. [Allan Edwards]

*&#41; Correct a mis-correlation between mpm_common.c and mpm_common.h;
   This patch reverts us to pre-2.0.46 behavior, using the
   ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle
   was never compiled on Win32. [Allan Edwards, William Rowe]

*&#41; Fix a build problem with passing unsupported --enable-layout
   args to apr and apr-util.  This broke binbuild.sh as well as
   user-specified layout parameters.  PR 18649 [Justin Erenkrantz,
   Jeff Trawick]

*&#41; If a Date response header was already set in the headers array,
   this value was ignored in favour of the current time. This meant
   that Date headers on proxied requests where rewritten when they
   should not have been. PR: 14376 [Graham Leggett]

*&#41; Add code to buildconf that produces an httpd.spec file from
   httpd.spec.in, using build/get-version.sh from APR.
   [Graham Leggett]

*&#41; Fixed a segfault when multiple ProxyBlock directives were used.
   PR: 19023 [Sami Tikka &lt;[email protected]&gt;]

*&#41; SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability
   identified and reported by Robert Howard &lt;[email protected]&gt; that
   where device names faulted the running OS2 worker process.
   The fix is actually in APR 0.9.4.  [Brian Havard]

*&#41; Forward port: Escape special characters &#40;especially control
   characters&#41; in mod_log_config to make a clear distinction between
   client-supplied strings &#40;with special characters&#41; and server-side
   strings. This was already introduced in version 1.3.25.
   [Andrй Malo]

*&#41; mod_deflate: Check also err_headers_out for an already set
   Content-Encoding: gzip header. This prevents gzip compressed content
   from a CGI script from being compressed once more. PR 17797.
   [Andrй Malo]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+1OGPNhUi14Kre9ERAgCPAKD7wcQxzXa/m7lJah1KMVLtEZSKTwCaA1DF
M+DtGud2fxkWMEZl84gqO8Y=
=ZKS4
-----END PGP SIGNATURE-----

Related for SECURITYVULNS:DOC:4604