Apache Week
   
   Issue 337, 7th November 2003:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Apache httpd 2.0.48 Released

Apache httpd 2.0.48 was released on 29th October 2003 and is now the latest version of the httpd 2.0 server. The previous release was 2.0.47, released on the 10th July 2003. See what was new in Apache httpd 2.0.47.

Apache httpd 2.0.48 is available for download.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions of 2.0 prior to Apache httpd 2.0.48 should upgrade to Apache httpd 2.0.48. Read more about the other security issues that affect 2.0.

Security issues

  • Fix issues in the mod_cgid module (usually only used with threaded MPMs on Unix) which could result in script output being sent to the wrong client. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0789 to this issue.
  • Fix buffer overflows in the handling of regular expressions from configuration files in mod_alias and mod_rewrite. To exploit this issue an attacker would need to have the ability to write to Apache configuration files such as .htaccess or httpd.conf. A carefully-crafted configuration file can cause an exploitable buffer overflow and would allow the attacker to execute arbitrary code in the context of the server. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0542 to this issue.

Bugs fixed

The following bugs were found in httpd 2.0.47 and have been fixed in httpd 2.0.48:

  • mod_include: fix possible segfault when processing error conditions (BZ#23836); fix three bugs which could cause output corruption with some input documents (BZ#21095)
  • mod_rewrite: fix log corruption on platforms using flock locking (e.g. FreeBSD); fix support for [P] rewrites (BZ#13946)
  • mod_ssl: fix support for CLIENT_CERT_CHAIN variables (BZ#21371), fix possible segfault after renegotiation failure (BZ#21370), fix FakeBasicAuth when processing subrequests
  • mod_deflate: fix cases where compressed content could be sent to a client which did not request it (BZ#21523); fix compression of empty responses; fix unnecessary buffering of compressed responses
  • Fix handling of <Foo>...</Foo> containers in configuration files (covered previously)
  • Fix infinite recursion if an Include directive is used for a directory containing a file with a name which contained wildcard characters (BZ#22194)
  • mod_cgid: fix bug where a script could be terminated prematurely after a different request ends
  • mod_cache: fix handling of max-age, smax-age and expires tokens to comply with RFC 2616; fix to allow caching response with an Expires header but no Etag or Last-Modified (BZ#23130)
  • mod_usertrack: fix false positives in matching cookies used for user tracking (BZ#16661)

New features

  • The mime.types file has been updated to the latest types from the IANA and W3c
  • mod_ext_filter exports additional environment variables for use in filter programs (BZ#20944)

Apache httpd 1.3.29 Released

Apache httpd 1.3.29 was released on 29th October 2003 and is now the latest version of the Apache httpd 1.3 server. The previous release was 1.3.28, released on the 18th July 2002. See what was new in Apache httpd 1.3.28.

Apache httpd 1.3.29 is available for download

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions of Apache httpd 1.3 prior to Apache httpd 1.3.29 should upgrade to Apache httpd 1.3.29. Read more about the other security issues that affect Apache httpd 1.3.

Security issues

  • Fix buffer overflows in the handling of regular expressions from configuration files in mod_alias and mod_rewrite. To exploit this issue an attacker would need to have the ability to write to Apache configuration files such as .htaccess or httpd.conf. A carefully-crafted configuration file can cause an exploitable buffer overflow and would allow the attacker to execute arbitrary code in the context of the server. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0542 to this issue.

Bugs fixed

The following bugs have been fixed in 1.3.29:

  • fix a bug introduced in 1.3.28 where zombie processes could be left when using CGI scripts with suexec
  • fix a bug introduced in 1.3.28 where some file descriptors would be closed twice; this could cause problems particularly for third-party modules which keep database sockets open across several requests.
  • fix a connection handling problem when a redirect is sent as an error document response.
  • mod_proxy: fix support for reverse proxying an FTP site
  • mod_usertrack: fix false positives in matching cookies used for user tracking (BZ#16661)

This issue brought to you by: Mark J Cox, Joe Orton
Comments or criticisms? Please email us at editors@apacheweek.com