Apache Week
   
   Issue 329, 30th May 2003:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Security Reports

This week, new security issues have been announced that affect version 2 of the Apache httpd server.

  • Apache versions 2.0.37 to 2.0.45 have a bug that can cause Apache to crash. This bug can be triggered remotely through mod_dav, mod_ssl, and possibly by other mechanisms. In some circumstances this issue could lead to remote code execution.

    This issue was originally discovered by iDefense who reported it to the Apache Software Foundation on 9th April 2003. Investigation by the Apache security team and Joe Orton found that this was bug that could be triggered by long strings being passed to the Apache Portable Runtime (APR) apr_pvsprintf() function. No exploits are known to currently exist for this issue.

    Even though fixes for this issue appeared in the new Apache 2.0.46 release earlier this week, specific details of the vulnerability were withheld until May 30th. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0245 to this issue.

  • Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms are vulnerable to a denial-of-service attack on the basic authentication module. A bug in the configuration scripts caused the apr_password_validate() function to be thread-unsafe on platforms with crypt_r(), including AIX and Linux. All versions of Apache 2.0 have this thread-safety problem on platforms with no crypt_r() and no thread-safe crypt(), such as Mac OS X and possibly others. When using a threaded MPM (which is not the default on these platforms), this allows remote attackers to create a denial of service which causes valid usernames and passwords for Basic Authentication to fail until Apache is restarted. This bug does not allow unauthorised users to gain access to protected resources.

    This issue was reported to the Apache Software Foundation by John Hughes on the 25th April 2003. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0189 to this issue.


Apache 2.0.46 Released

Apache 2.0.46 was released on 28th May 2003 and is now the latest version of the Apache 2.0 server. The previous release was 2.0.45, released on the 2nd April 2003. See what was new in Apache 2.0.45.

Apache 2.0.46 is available for download.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 2.0.46 should upgrade to Apache 2.0.46. Read more about the other security issues that affect Apache 2.0.

Security issues

  • Apache can be caused to crash in certain circumstances. This can be triggered remotely through mod_dav, mod_ssl, and possibly other mechanisms and could lead to remote code execution. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0245 to this issue.
  • A build system problem in Apache 2.0.40 through 2.0.45 allows remote attackers to cause a denial of access to authenticated content when a threaded server is used. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0189 to this issue.
  • Apache on OS/2 before Apache 2.0.46 has a Denial of Service vulnerability relating to reserved device names. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0134 to this issue.

Bugs fixed

The following bugs were found in Apache 2.0.45 and have been fixed in Apache 2.0.46:

  • mod_proxy: don't override the origin server's Date header in proxied responses; fix a segfault when multiple ProxyBlock directives are used (BZ#19023)
  • mod_deflate: several fixes to prevent attempts to compress content which is already compressed (BZ#19913, BZ#17797)
  • mod_rewrite: fix handling of absolute URIs and ordering of content type checking (BZ#19626)
  • mod_autoindex: fix for use of wildcard patterns (BZ#12596); use modern query string separators (BZ#10880)
  • Two fixes for handling of redirects: the source query string will be appended to the redirect destination when appropriate (BZ#10961); a redirect to a IPv6 literal address will now work correctly (BZ#19207)
  • Platform-specific changes: fix for a link problem on AIX when mod_so is used (BZ#19012); the Nagle algorithm is now disabled correctly on Windows
  • Many small fixes for the build system; binbuild.sh works again (BZ#18649); libtool 1.5 is supported
  • Other changes include fixes for bugs BZ#9427, BZ#16907, and BZ#17135

New features

  • Add a new directive, AllowEncodedSlashes, to allow use of URIs which contain encoded slash characters: see previous coverage of this feature
  • Enable core dumps on Linux 2.4 platforms when Apache is started root, when CoreDumpDirectory is used. see previous discussion of this issue
  • Allow logging thread ID as well as process ID from mod_log_config

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

In the second instalment of a series of articles about mod_perl 2.0, Geoffrey Young demonstrates how he uses Apache-Test from the Perl Framework component of the Apache HTTP Test Project to write his own test suite to ensure that his Apache::Clean module really works. Apart from the basics, he also shows you how to use the utility functions provided by the Apache::TestUtil module to facilitate the process of writing and debugging your tests.

"Towards Next Generation URLs" looks at the pros and cons of complex, hard-to-read URLs and lists a few methods to clean up those dirty URLs. The tips include using mod_rewrite for Apache to rewrite URLs with long query strings, mod_negotiation to implement content negotiation, and mod_speling to correct misspellings of URLs.

PHPBuilder takes a peek at the new features of PHP 5 despite the fact that it is still in the development stage. It focuses on three major features, namely object model, exceptions, and namespaces, but warns that some of these features may change when PHP 5 is finally released.

"Open Source CMS: Apache Gets Stable" introduces the 1.0rc1 release of Apache Lenya, a Java Open-Source Content Management System based on XML and XSLT. It requires J2SE, Tomcat, Ant and Cocoon, and offers features such as revision control, scheduling, a built-in search engine, separate staging areas, and workflow management.


This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan
Comments or criticisms? Please email us at editors@apacheweek.com