[PLUTO-security] [Fwd: [SECURITY] [ANNOUNCE] Apache 2.0.46 released]
Tom aka 'Dido'
tom at pluto.linux.it
Thu May 29 10:46:34 CEST 2003
Dido
(il moderatore)
-----Forwarded Message-----
> From: Apache HTTP Server Project <jwoolley a apache.org>
> To: bugtraq a securityfocus.com
> Subject: [SECURITY] [ANNOUNCE] Apache 2.0.46 released
> Date: 28 May 2003 12:29:03 -0400
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Apache 2.0.46 Released
>
> The Apache Software Foundation and the Apache HTTP Server Project are
> pleased to announce the ninth public release of the Apache 2.0
> HTTP Server. This Announcement notes the significant changes in
> 2.0.46 as compared to 2.0.45.
>
>
> This version of Apache is principally a security and bug fix release.
> A summary of the bug fixes is given at the end of this document.
> Of particular note is that 2.0.46 addresses two security
> vulnerabilities:
>
> Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
> certain circumstances. This can be triggered remotely through mod_dav
> and possibly other mechanisms. The crash was originally reported by
> David Endler <DEndler a iDefense.com> and was researched and fixed by
> Joe Orton <jorton a redhat.com>. Specific details and an analysis of the
> crash will be published Friday, May 30. No more specific information
> is disclosed at this time, but all Apache 2.0 users are encouraged to
> upgrade now.
> [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]
>
> Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
> vulnerable to a denial-of-service attack on the basic authentication
> module, which was reported by John Hughes <john.hughes a entegrity.com>.
> A bug in the configuration scripts caused the apr_password_validate()
> function to be thread-unsafe on platforms with crypt_r(), including
> AIX and Linux. All versions of Apache 2.0 have this thread-safety
> problem on platforms with no crypt_r() and no thread-safe crypt(),
> such as Mac OS X and possibly others. When using a threaded MPM (which
> is not the default on these platforms), this allows remote attackers
> to create a denial of service which causes valid usernames and
> passwords for Basic Authentication to fail until Apache is restarted.
> We do not believe this bug could allow unauthorized users to gain
> access to protected resources.
> [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]
>
> The Apache Software Foundation would like to thank David Endler
> and John Hughes for the responsible reporting of these issues.
>
>
> This release is compatible with modules compiled for 2.0.42 and later
> versions. We consider this release to be the best version of Apache
> available and encourage users of all prior versions to upgrade.
>
> Apache 2.0.46 is available for download from
>
> http://httpd.apache.org/download.cgi
>
> Please see the CHANGES_2.0 file, linked from the above page, for
> a full list of changes.
>
> Apache 2.0 offers numerous enhancements, improvements, and performance
> boosts over the 1.3 codebase. For an overview of new features introduced
> after 1.3 please see
>
> http://httpd.apache.org/docs-2.0/new_features_2_0.html
>
> When upgrading or installing this version of Apache, please keep
> in mind the following:
>
> If you intend to use Apache with one of the threaded MPMs, you must
> ensure that the modules (and the libraries they depend on) that you
> will be using are thread-safe. Please contact the vendors of these
> modules to obtain this information.
>
>
> Apache 2.0.46 Major changes
>
> Security vulnerabilities closed since Apache 2.0.45
>
> *) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered
> remotely through mod_dav and possibly other mechanisms, causing
> an Apache child process to crash. The crash was first reported
> by David Endler <DEndler a iDefense.com> and was researched and
> fixed by Joe Orton <jorton a redhat.com>. Details will be released
> on 30 May 2003.
>
> *) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
> affecting basic authentication on Unix platforms related to
> thread-safety in apr_password_validate(). The problem was reported
> by John Hughes <john.hughes a entegrity.com>
>
>
> Bugs fixed and features added since Apache 2.0.45
>
> *) Fix for mod_dav. Call the 'can_be_activity' callback, if provided,
> when a MKACTIVITY request comes in.
> [Ben Collins-Sussman <sussman a collab.net>]
>
> *) Perform run-time query in apxs for apr and apr-util's includes.
> [Justin Erenkrantz]
>
> *) run libtool from the apr install directory (in case that is different
> from the apache install directory) [Jeff Trawick]
>
> *) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]
>
> *) If mod_mime_magic does not know the content-type, do not attempt to
> guess. PR 16908. [Andrew Gapon <agapon a telcordia.com>]
>
> *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
> caching. PR 17864.
> [Andreas Leimbacher <andreasl67 a yahoo.de>, Madhusudan Mathihalli]
>
> *) Add a delete flag to htpasswd.
> [Thom May]
>
> *) Fix mod_rewrite's handling of absolute URIs. The escaping routines
> now work scheme dependent and the query string will only be
> appended if supported by the particular scheme. [Andr Malo]
>
> *) Add another check for already compressed content in mod_deflate.
> PR 19913. [Tsuyoshi SASAMOTO <nazonazo a super.win.ne.jp>]
>
> *) Fixes for VPATH builds; copying special.mk and any future .mk files
> from the source tree as well as the build tree (now creates a usable
> configuration for apxs), and eliminated redundant -I'nclude paths.
> [William Rowe]
>
> *) Code fixes, constness corrections and ssl_toolkit_compat.h updates
> for SSLC and OpenSSL toolkit compatibility. Still work remains to
> be done to cripple features based on the limitations of RSA's binary
> distribution of their SSL-C toolkit.
> [William Rowe, Madhusudan Mathihalli, Jeff Trawick]
>
> *) Linux 2.4+: If Apache is started as root and you code
> CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
> [Greg Ames]
>
> *) ap_get_mime_headers_core: allocate space for the trailing null
> when folding is in effect.
> PR 18170 [Peter Mayne <PeterMayne a SPAM_SUX.ap.spherion.com>]
>
> *) Fix --enable-mods-shared=most and other variants. [Aaron Bannert]
>
> *) mod_log_config: Add the ability to log the id of the thread
> processing the request via new %P formats. [Jeff Trawick]
>
> *) Use appropriate language codes for Czech (cs) and Traditional Chinese
> (zh-tw) in default config files. PR 9427. [Andr Malo]
>
> *) mod_auth_ldap: Use generic whitespace character class when parsing
> "require" directives, instead of literal spaces only. PR 17135.
> [Andr Malo]
>
> *) Hook mod_rewrite's type checker before mod_mime's one. That way the
> RewriteRule [T=...] Flag should work as expected now. PR 19626.
> [Andr Malo]
>
> *) htpasswd: Check the processed file on validity. If a line is not empty
> and not a comment, it must contain at least one colon. Otherwise exit
> with error code 7. [Kris Verbeeck <Kris.Verbeeck a ubizen.com>, Thom May]
>
> *) Fix a problem that caused httpd to be linked with incorrect flags
> on some platforms when mod_so was enabled by default, breaking
> DSOs on AIX. PR 19012 [Jeff Trawick]
>
> *) By default, use the same CC and CPP with which APR was built.
> The user can override with CC and CPP environment variables.
> [Jeff Trawick]
>
> *) Fix ap_construct_url() so that it surrounds IPv6 literal address
> strings with []. This fixes certain types of redirection.
> PR 19207. [Jeff Trawick]
>
> *) forward port of buffer overflow fixes for htdigest. [Thom May]
>
> *) Added AllowEncodedSlashes directive to permit control of whether
> the server will accept encoded slashes ('%2f') in the URI path.
> Default condition is off (the historical behaviour). This permits
> environments in which the path-info needs to contain encoded
> slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639.
> [Ken Coar]
>
> *) When using Redirect in directory context, append requested query
> string if there's no one supplied by configuration. PR 10961.
> [Andr Malo]
>
> *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
> the pattern will not always match as desired. PR 12596.
> [Andr Malo]
>
> *) mod_autoindex now emits and accepts modern query string parameter
> delimiters (;). Thus column headers no longer contain unescaped
> ampersands. PR 10880 [Andr Malo]
>
> *) Enable ap_sock_disable_nagle for Windows. This along with the
> addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle
> to be disabled for Windows. [Allan Edwards]
>
> *) Correct a mis-correlation between mpm_common.c and mpm_common.h;
> This patch reverts us to pre-2.0.46 behavior, using the
> ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle
> was never compiled on Win32. [Allan Edwards, William Rowe]
>
> *) Fix a build problem with passing unsupported --enable-layout
> args to apr and apr-util. This broke binbuild.sh as well as
> user-specified layout parameters. PR 18649 [Justin Erenkrantz,
> Jeff Trawick]
>
> *) If a Date response header was already set in the headers array,
> this value was ignored in favour of the current time. This meant
> that Date headers on proxied requests where rewritten when they
> should not have been. PR: 14376 [Graham Leggett]
>
> *) Add code to buildconf that produces an httpd.spec file from
> httpd.spec.in, using build/get-version.sh from APR.
> [Graham Leggett]
>
> *) Fixed a segfault when multiple ProxyBlock directives were used.
> PR: 19023 [Sami Tikka <sami.tikka a f-secure.com>]
>
> *) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability
> identified and reported by Robert Howard <rihoward a rawbw.com> that
> where device names faulted the running OS2 worker process.
> The fix is actually in APR 0.9.4. [Brian Havard]
>
> *) Forward port: Escape special characters (especially control
> characters) in mod_log_config to make a clear distinction between
> client-supplied strings (with special characters) and server-side
> strings. This was already introduced in version 1.3.25.
> [Andr Malo]
>
> *) mod_deflate: Check also err_headers_out for an already set
> Content-Encoding: gzip header. This prevents gzip compressed content
> from a CGI script from being compressed once more. PR 17797.
> [Andr Malo]
More information about the pluto-security
mailing list