Apache Week
   
   Issue 324, 4th April 2003:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Security Reports

This week a number of security issues have been announced that affect versions of the Apache httpd server.

  • Apache versions before Apache 2.0.45 have a significant Denial of Service vulnerability. This issue only affects versions of Apache 2.0. Even though fixes for this issue appear in the new Apache 2.0.45 release, specific details of this vulnerability are being withheld until April 8th. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0132 to this issue.
  • Apache on OS/2 up to and including Apache 2.0.45 have a Denial of Service vulnerability. Full details have not yet been released, but it is likely that any OS/2 binaries released for Apache 2.0.45 will already contain the fix. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0134 to this issue.

A report sent to the Bugtraq mailing list last month found a number of issues where terminal emulator software can be abused when untrusted data is displayed. One source of untrusted data is log files, and although certain versions of Apache 1.3 filter escape sequences from access log files, no filtering is done on error log files or Apache 2.0 access log files:

  • Apache 1.3 up to and including 1.3.25 and Apache 2.0 up to and including 2.0.45 do not filter terminal escape sequences from access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0083 to this issue.
  • Apache 1.3 and Apache 2.0 (all versions to date) do not filter terminal escape sequences from error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0020 to this issue.

In the news

A number of news sources report that Oracle's Ellison anticipates the death of Windows. Larry Ellison, head of Oracle, asserted that Microsoft had already had its web server "killed" by Apache. He said Microsoft's Web server offering had been, "slaughtered, wiped out, taken from market dominance to irrelevance".

This history of the events is a little inaccurate however, as the Apache Web server was first announced in February 1995, a year before Microsoft IIS 1.0 was even released. The Apache web server has always been dominant, having a higher market share than IIS according to surveys such as the monthly Netcraft report.


Apache 2.0.45 Released

Apache 2.0.45 was released on 2nd April 2003 and is now the latest version of the Apache 2.0 server. The previous release was 2.0.44, released on the 21st January 2003. See what was new in Apache 2.0.44.

Apache 2.0.45 is available for download.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 2.0.45 should upgrade to Apache 2.0.45. Read more about the other security issues that affect Apache 2.0.

Security issues

  • Apache 2.0 versions before Apache 2.0.45 have a significant Denial of Service vulnerability. The specific details of this vulnerability are being withheld until April 8th. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0132 to this issue.
  • Apache 2.0 versions between 2.0.21 and 2.0.44 inclusive leak some file descriptors to child processes such as CGI scripts, which can allow the CGI script greater control over the server than is necessary. BZ#17206

Bugs fixed

The following bugs were found in Apache 2.0.44 and have been fixed in Apache 2.0.45:

  • mod_rewrite: several fixes for path handling, especially on non-Unix platforms (BZ#12902); prevent infinite loops in internal redirects (BZ#17462); prevent mod_proxy from escaping URLs proxied by a rewrite rule
  • mod_file_cache: several segfault fixes. (BZ#16313)
  • Several fixes for mod_ldap's result caching support (BZ#12757); also added support for character set conversion to mod_auth_ldap
  • Fixes for potential memory leaks and filtering problems in mod_deflate (BZ#16046, BZ#16134, BZ#14451)
  • mod_ssl: fix SSLMutex to allow selecting lock type (BZ#8122); fixes for 64-bit platforms; fix the SSLCertificateChain directive to not skip the first certificate (BZ#14560)
  • Win32 specific: avoid consuming CPU cycles under load; fixed piped access log
  • apachectl fixes for use of ulimit on Tru64 and AIX
  • Several fixes to handle misconfigurations more robustly (BZ#17093, BZ#9076)
  • A fix for mod_auth_digest, which could produce incorrect authentication challenges on non-Unix platforms if an AuthDigestDomain directive was not used (BZ#16937)

New features

  • An RPM .spec file is now included
  • mod_deflate supports configurable compression level, and accurate logging of input and output bytes
  • The CGI modules will now log diagnostic information for common errors encountered when executing scripts (such as a permissions problem)

This issue brought to you by: Mark J Cox, Joe Orton
Comments or criticisms? Please email us at editors@apacheweek.com