In this issue

This week four security issues have been announced that affect the latest versions of the 1.3 and 2.0 Apache httpd server.

• In Apache 1.3 versions up to and including 1.3.26, the permissions of the shared memory used for the scoreboard allows a user with the uid of the Apache server to 1) send signals to arbitrary processes as root, and 2) cause a local denial of service vulnerability. This issue does not affect Apache 2.0. CAN-2002-0839

  In order to exploit this vulnerability a remote attacker would have to use some other vulnerability to be able to run arbitrary commands as the uid of the Apache server. Access to the uid of the Apache server is also available to anyone who has the authority to create scripts that can be run by the server (such as PHP or CGI).

  This issue was reported to the ASF by zen-parse through iDefense

• A cross-site scripting (XSS) vulnerability was discovered in the default error page. The issue could only be exploited if the directive UseCanonicalName is set to Off and a server is being run at a domain that uses wildcard DNS. The default setting has been Off in 2.0 since 2 .0.33; 1.3 has always had it On, so is not vulnerable by default, but is vulnerable if you set UseCanonicalName to Off. This issue affects Apache 2.0 all versions including 2.0.42 and 1.3 all versions up to and including 1.3.26. CAN-2002-0840

  Wildcard DNS allows a server administrator to set up a host to respond to any particular hostname in the domain. For example with a DNS entry of *.apacheweek.com any domain that is looked up in the apacheweek.com domain would resolve. Wildcard DNS is not particularly common so this vulnerability will not affect many sites.

  This issue was reported to the ASF by Matthew Murphy

• Buffer overflows in the ApacheBench utility, ab, used for benchmarking sites can be exploited if it is run against a malicious server. CAN-2002-0843

  As a work-around, administrators could simply remove the ApacheBench utility or not run it against untrusted servers.

  This issue was reported to the ASF by David Wagner

• In Apache 2.0.42, for a location where both WebDAV and CGI were enabled, a POST request to a CGI script would reveal the CGI source to a remote user. This issue does not affect any versions of Apache 2.0 other than 2.0.42, and does not affect Apache 1.3 servers running mod_dav 1.0. CAN-2002-1156

These issues have all been fixed in Apache 1.3.27 and Apache 2.0.43 which are now available.

Apache 1.3.27 was released on 3^rd October 2002 and is now the latest version of the Apache 1.3 server. The previous release was 1.3.26, released on the 18^th June 2002. See what was new in Apache 1.3.26.

Apache 1.3.27 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 1.3.27 should upgrade to Apache 1.3.27. Read more about the other security issues that affect Apache 1.3.

• Fix the security vulnerability regarding ownership permissions of System V shared memory based scoreboards. The fix resulted in the new ShmemUIDisUser directive. CAN-2002-0839

• Fix the security vulnerability regarding a cross-site scripting vulnerability in the default error page when using wildcard DNS. CAN-2002-0840

• Fix the security vulnerability regarding some possible overflows in ab.c which could be exploited by a malicious server. CAN-2002-0843

The main new features in 1.3.27 (compared to 1.3.26) are:

• A new directive, ErrorHeader has been added. This allows headers (such as cookies) to be specified that will accompany any error pages or redirects
• Configuration file globbing can now use simple pattern matching which can stop backup and other files getting included BZ#12712
• Include directives may now have wildcards in the final part of the path.
• A new directive, ProtocolReqCheck has been added which determines if Apache will check for a valid protocol string in the request (such as HTTP/1.1) and return HTTP_BAD_REQUEST if not valid. Versions of Apache prior to 1.3.26 would silently ignore bad protocol strings, but 1.3.26 included a more strict check. This directive makes it runtime configurable.
• Added support for Berkeley-DB/4.x to mod_auth_db.
• Support Caldera OpenUNIX 8.

The following bugs were found in Apache 1.3.26 and have been fixed in Apache 1.3.27:

• Some fixes to mod_proxy. The cache was incorrectly updating the Content-Length from 304 responses when doing validation. Also fix a problem where headers from other modules were added to the response headers when this was done in the core already.
• In 1.3.26, a null or all-blank Content-Length triggers an error although previous versions would silently ignore it and assume 0 length. 1.3.27 restores this previous behaviour.
• Fix a one byte null overflow in ap_get_win32_interpreter used on Win32 platforms triggered when the initial #! line in a CGI script did not contain a \r or \n character in the first 1023 bytes.

Apache 2.0.43 was released on 3^rd October 2002 and is now the latest version of the Apache 2.0 server. The previous release was 2.0.42, released on the 24^th September 2002. See what was new in Apache 2.0.42.

Apache 2.0.43 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 2.0.43 should upgrade to Apache 2.0.43. Read more about the other security issues that affect Apache 2.0.

• Fix the security vulnerability regarding a cross-site scripting vulnerability in the default error page when using wildcard DNS. CAN-2002-0840

• Fix the exposure of CGI source when a POST request is sent to a location where both DAV and CGI are enabled. CAN-2002-1156

• Fix the security vulnerability regarding some possible overflows in ab.c which could be exploited by a malicious server. CAN-2002-0843

The following bugs were found in Apache 2.0.42 and have been fixed in Apache 2.0.43:

• The UserDir directive has been fixed to again take a list of user names to enable userdir access for, as per 1.3.

• Flushing behaviour has been improved, to ensure that available response output is flushed when no new output is pending; helping streaming CGIs and other dynamically-generated content

• mod_auth_ldap has been fixed to retry connections to the LDAP server if it becomes unavailable.

• Fix for a locking problem in mod_ssl's session cache code which could cause infinite loops on some platforms

• Fixes for mod_cache to prevent a segfault when attempting to cache some combinations of content (for instance, when using SSI tags which execute CGI scripts), and to correct the CacheMaxStreamingBuffer directive for virtual hosts

• The default server root directory in suexec has been fixed to match the default install root

• mod_proxy was fixed to not strip WWW-Authenticate headers on 4xx error responses which prevented server authentication to be performed via the proxy

• A new module, mod_logio, has been added which allows logging of the number of bytes sent and received by the server.

• A -p option has been added to apxs to allow programs to be be compiled using this tool.

If you are reading this issue on Friday the 4th October 2002 then you may still have a few hours to get the US$200 discount on registration for ApacheCon. ApacheCon is being held in Las Vegas, USA from the 19th-21th November 2002, with an optional day of tutorials available on November 18th. The conference is being held at the same time as Comdex in Las Vegas, and all ApacheCon delegates also get a free pass to the Comdex Exhibit hall.

Apache Week will be on hand as always to report on the event. Find out more at the conference web site, or read our account of ApacheCon 2001 Santa Clara.

An article this week in ZDNet News, Apache chief scouts a new direction, follows the resignation of Randy Terbush from Covalent. Randy has started up a new company focusing on Apache services rather than products. He is joined by another former Covalent employee and ASF director Dirk-Willem van Gulik. Covalent received a lot of press attention back at the 2000 ApacheCon when they announced they were assembling a dream team of Apache developers. However with the reported recent departure of lead Apache 2.0 contributor Ryan Bloom, only one of the original five remains. Even so, Covalent report having "their best quarters ever ... with double-digit growth".