The Apache Software Foundation has released a patch for its Apache 2.0 HTTP Server to thwart a "significant" denial-of-service vulnerability.
Apache, which makes the popular open-source Web server application, released version 2.0.45 to fix a denial-of-service (DoS) problem. A DoS attack floods a network with data, rendering it inaccessible to legitimate queries.
The vulnerability in version 2.0.44 affects all operating systems, according to the advisory. But Apache issued a specific warning for OS/2 users, noting that for them the new patch still had a DoS vulnerability.
That outstanding issue will be fixed with the upcoming release of 2.0.46, but Apache said it was too important to delay the 2.0.45 patch.
The foundation urged, "All Apache 2.0 users are encouraged to upgrade now."
The foundation rushed the patch out perhaps to avert the kind of scenario that occurred last June, when a security firm released news of a flaw and gave Apache only a few hours to respond.
The DoS vulnerability in version 2.0.44 was discovered by David Endler of security firm iDefense. Apache did not provide specific details about the issues, noting only that Endler would publish details on April 8.
Apache dominates the Web server market with nearly 63 percent market share, according to March statistics from consulting firm Netcraft. Microsoft trails well behind with 27.4 percent, and Sun Microsystems has a paltry 1.1 percent of the market.
View: Apache Software Foundation
View: Apache HTTP Server Downloads
News source: CNet
Apache, which makes the popular open-source Web server application, released version 2.0.45 to fix a denial-of-service (DoS) problem. A DoS attack floods a network with data, rendering it inaccessible to legitimate queries.
The vulnerability in version 2.0.44 affects all operating systems, according to the advisory. But Apache issued a specific warning for OS/2 users, noting that for them the new patch still had a DoS vulnerability.
That outstanding issue will be fixed with the upcoming release of 2.0.46, but Apache said it was too important to delay the 2.0.45 patch.
The foundation urged, "All Apache 2.0 users are encouraged to upgrade now."
The foundation rushed the patch out perhaps to avert the kind of scenario that occurred last June, when a security firm released news of a flaw and gave Apache only a few hours to respond.
The DoS vulnerability in version 2.0.44 was discovered by David Endler of security firm iDefense. Apache did not provide specific details about the issues, noting only that Endler would publish details on April 8.
Apache dominates the Web server market with nearly 63 percent market share, according to March statistics from consulting firm Netcraft. Microsoft trails well behind with 27.4 percent, and Sun Microsystems has a paltry 1.1 percent of the market.
View: Apache Software Foundation View: Apache HTTP Server Downloads News source: CNet
Apache 2.0.45 Major changes
- Security vulnerabilities closed since Apache 2.0.44
- SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability identified by David Endler on all platforms. Details embargoed until their announcement on 7 April 2003.
- SECURITY: Eliminated leaks of several file descriptors to child processes, such as CGI scripts. This fix depends on the latest APR library release 0.9.2, which is distributed with the httpd source tarball for Apache 2.0.45. PR 17206 [Christian Kratzer , Bjoern A. Zeeb ]
- Bugs fixed and features added since Apache 2.0.44
- Prevent endless loops of internal redirects in mod_rewrite by aborting after exceeding a limit of internal redirects. The limit defaults to 10 and can be changed using the RewriteOptions directive. PR 17462.
- Configurable compression level for mod_deflate.
- Allow SSLMutex to select/use the full range of APR locking mechanisms available to it (e.g. same choices as AcceptMutex.)
- mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot be started on Unix because of such problems as bad permissions, bad shebang line, etc.
- Try to log an error if a piped log program fails and try to restart a piped log program in more failure situations.
- Added support for mod_auth_LDAP, with a new AuthLDAPCharsetConfig directive, to convert extended characters in the user ID to UTF-8, before authenticating against the LDAP directory.
- No longer removes the Content-Length from responses via mod_proxy.
- Enhance mod_isapi's WriteClient() callback to provide better emulation for isapi extensions that use the first WriteClient() to send status and headers, such as the foxisapi module.
- Win32: Avoid busy wait (consuming all the CPU idle cycles) when all worker threads are busy.
- Introduced .pdb debugging symbols for Win32 release builds.
- Fixed piped access logs on Win32.
- Fix path handling of mod_rewrite, especially on non-unix systems. There was some confusion between local paths and URL paths.
- Added an rpm build script.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.