Apache Week
   
   Issue 299, 21st June 2002:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Security Reports

Chunked encoding vulnerability

A security vulnerability has been found in the Apache Web server that affects all versions of Apache 1.2 since Apache 1.2.2, all versions of Apache 1.3 prior to Apache 1.3.26, and versions of Apache 2.0 prior to Apache 2.0.39. The severity of the vulnerability varies across different versions of Apache and which platform is used; extending from a relatively harmless increase in system resources through to denial of service attacks. In some cases a remote exploit may be possible. The Apache Software Foundation has released an updated Official Security Advisory. The original can be found at BugTraq. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2002-0392 to this issue.

Our summary of the issue:

  • If you are using Apache 1.3 on 32-bit Unix platforms then the effects of this vulnerability are minor. A remote attacker can cause the child process that is processing their request to die. The Apache parent process will eventually get around to replacing the child when required. Update: It has been found that some 32-bit platforms are vulnerable and can be remotely exploited
  • If you are using Apache 1.3 on 64-bit Unix platforms then the effects depend on the platform. It may be possible on some 64-bit platforms for a remote attacker to remotely exploit the vulnerability and run arbitrary commands as the Apache user.
  • Apache 1.3 on Windows is remotely exploitable. An attacker can remotely exploit the vulnerability and run arbitrary commands on the server
  • Apache 2.0 is not remotely exploitable, but the effects can range from the minimal child replacement to more severe denial of service attacks depending on the platform and process model in use

All users of Apache are advised to upgrade to either Apache 1.3.26 or Apache 2.0.39 available from httpd.apache.org

In the News

The security issue got a fair amount of media coverage, with Apache Week's own Mark Cox providing a number of quotes (some of which were reported accurately too!). Rather than give yet another version of events here in Apache Week if you are interested in how the flaw was found and the controversy over the reporting of the issues see our favourite write-up, "Apache admins screwed by premature vuln report" by Thomas C Greene at The Register.

We also found the following articles:


Apache 1.3.26 Released

Apache 1.3.26 was released on 18th June 2002 and is now the latest version of the Apache 1.3 server. The previous release was 1.3.24, released on the 22nd March 2002. See what was new in Apache 1.3.24. Apache 1.3.25 was never released.

Apache 1.3.26 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 1.3.26 should upgrade to Apache 1.3.26. Read more about the other security issues that affect Apache 1.3.

Security issues

  • Fix the chunked encoding security vulnerability. (CVE-2002-0392)

New features

The main new features in 1.3.26 (compared to 1.3.24) are:

  • Add text/xml, application/xhtml+xml, audio/mpeg, and video/quicktime mime types to the mime types magic file. PR#7730
  • Added a -F flag which causes the supervisor process to no longer fork down and detach and instead stay attached to the tty. This allows integration with daemontools. PR#7628

Bugs fixed

The following bugs were found in Apache 1.3.24 and have been fixed in Apache 1.3.26:

  • Allow child processes sufficient time for cleanups but making ap_select in reclaim_child_processes more "resistant" to signal interrupts. BZ#8176
  • In Darwin, place dynamically loaded Apache extensions' public symbols into the global symbol table. This allows dynamically loaded PHP extensions.
  • Fix for a problem in mod_rewrite which would lead to 400 Bad Request responses for rewriting rules which resulted in a local path. Note: This will also reject invalid requests as issued by Netscape-4.x Roaming Profiles (on a DAV-enabled server)
  • Recognize platform-specific root directories (other than leading slash) in mod_rewrite for filename rewrite rules. BZ#7492
  • Disallow anything but whitespace on the request line after the HTTP/x.y protocol string to prevent arbitrary user input from ending up in the access_log and error_log. Also control characters are now escaped.
  • A large number of fixes in mod_proxy including: adding support for dechunking chunked responses, correcting a timeout problem which would force long or slow POST requests to close after 300 seconds PR#7552, adding "X-Forwarded" headers, dealing correctly with the multiple-cookie header bug, ability to handle unexpected 100-continue responses sent during PUT or POST commands, and a change to tighten up the Server header overwrite bug-fix.

Apache 2.0.39 Released

Apache 2.0.39 was released on 18th June 2002 and is now the latest version of the Apache server. This is the third stable release of Apache 2.0, following up on 2.0.36 which was released on 8th May 2002. Read our special feature for more information about the history of Apache 2.0.

Apache 2.0.39 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions of Apache 2 prior to Apache 2.0.39 should upgrade to Apache 2.0.39.

Security issues

  • Fix the chunked encoding security vulnerability. (CVE-2002-0392)

New features

The new features in this release (added since 2.0.36) are:

  • Integration of apachectl functionality into httpd using the -k start|restart|graceful|stop option.
  • mod_ssl now respects the standard logging directives; the SSLLog and SSLLogLevel directives have been deprecated.

Bug Fixes

The bugs fixed in this release include:

  • Semaphore permission handling problems which meant that on some platforms, mod_ssl would stop serving requests after a period of time. BZ#8124 (The bug also affects mod_rewrite if RewriteLogLevel is set above 0).
  • Use of random maps with mod_rewrite is now fixed (BZ#9770).
  • Ignore errors from mutexes (using certain mutex types) during a graceful restart, in the prefork MPM.
  • Fix handling of nested if statements in mod_include (BZ#9866)
  • The +OptRenegotiate option has been fixed in mod_ssl
  • SSL CONNECT tunnelling has been fixed in mod_proxy (BZ#8903)
  • Using mod_userdir together with ScriptAlias to enable CGI in home directories is fixed (BZ#8841)
  • mod_deflate changes: fix for corrupted output BZ#9014, and not compressing already-compressed content BZ#9222
  • apxs changes: fix warnings from unknown -q options (BZ#9316), use correct directory locations (BZ#8869, BZ#8453, and more (BZ#9316)

Platform-specific changes

The following platform-specific changes have been made:

  • fix 'make install' on ReliantUnix
  • for Win32: fix ServerRoot handling on Win32, and many improvements to the mod_isapi module
  • fix to not open a window for CGI programs on Win32/Netware
  • fix corruption of binary files when using CygWin (BZ#9185)
  • an unserialized accept() can be used in AIX 4.3.2 and above

This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan
Comments or criticisms? Please email us at editors@apacheweek.com