[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 398/03 - Apache - security and bug fix release


- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 398/03 dated 11.07.03  Time: 10:10
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------


Apache Security Advisory:

security and bug fix release


Hash: SHA1

                       Apache 2.0.47 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the tenth public release of the Apache 2.0
   HTTP Server.  This Announcement notes the significant changes in
   2.0.47 as compared to 2.0.46.

   This version of Apache is principally a security and bug fix release.
   A summary of the bug fixes is given at the end of this document.
   Of particular note is that 2.0.47 addresses four security

   Certain sequences of per-directory renegotiations and the SSLCipherSuite
   directive being used to upgrade from a weak ciphersuite to a strong one
   could result in the weak ciphersuite being used in place of the strong

   Certain errors returned by accept() on rarely accessed ports could cause
   temporal denial of service, due to a bug in the prefork MPM.

   Denial of service was caused when target host is IPv6 but ftp proxy
   server can't create IPv6 socket.

   The server would crash when going into an infinite loop due to too many
   subsequent internal redirects and nested subrequests.

   The Apache Software Foundation would like to thank Saheed Akhtar and
   Yoshioka Tsuneo for the responsible reporting of two of these issues.

   This release is compatible with modules compiled for 2.0.42 and later
   versions.  We consider this release to be the best version of Apache
   available and encourage users of all prior versions to upgrade.

   Apache 2.0.47 is available for download from


   Please see the CHANGES_2.0 file, linked from the above page, for
   a full list of changes.

   Apache 2.0 offers numerous enhancements, improvements, and performance
   boosts over the 1.3 codebase.  For an overview of new features introduced
   after 1.3 please see


   When upgrading or installing this version of Apache, please keep
   in mind the following:

   If you intend to use Apache with one of the threaded MPMs, you must
   ensure that the modules (and the libraries they depend on) that you
   will be using are thread-safe.  Please contact the vendors of these
   modules to obtain this information.

                       Apache 2.0.47 Major changes

   Security vulnerabilities closed since Apache 2.0.46

    *) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
       of per-directory renegotiations and the SSLCipherSuite directive
       being used to upgrade from a weak ciphersuite to a strong one
       could result in the weak ciphersuite being used in place of the
       strong one.  [Ben Laurie]

    *) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
       temporary denial of service when accept() on a rarely accessed port
       returns certain errors.  Reported by Saheed Akhtar
       <S.Akhtar@xxxxxxxxx>.  [Jeff Trawick]

    *) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
       of service when target host is IPv6 but proxy server can't create
       IPv6 socket.  Fixed by the reporter.  [Yoshioka Tsuneo

    *) SECURITY [VU#379828] Prevent the server from crashing when entering
       infinite loops. The new LimitInternalRecursion directive configures
       limits of subsequent internal redirects and nested subrequests, after
       which the request will be aborted.  PR 19753 (and probably others).
       [William Rowe, Jeff Trawick, André Malo]

   Bugs fixed and features added since Apache 2.0.46

    *) core_output_filter: don't split the brigade after a FLUSH bucket if
       it's the last bucket.  This prevents creating unneccessary empty
       brigades which may not be destroyed until the end of a keepalive
       [Juan Rivera <Juan.Rivera@xxxxxxxxxx>]

    *) Add support for "streamy" PROPFIND responses.
       [Ben Collins-Sussman <sussman@xxxxxxxxxx>]

    *) mod_cgid: Eliminate a double-close of a socket.  This resolves
       various operational problems in a threaded MPM, since on the
       second attempt to close the socket, the same descriptor was
       often already in use by another thread for another purpose.
       [Jeff Trawick]

    *) mod_negotiation: Introduce "prefer-language" environment variable,
       which allows to influence the negotiation process on request basis
       to prefer a certain language.  [André Malo]

    *) Make mod_expires' ExpiresByType work properly, including for
       dynamically-generated documents.  [Ken Coar, Bill Stoddard]

Version: GnuPG v1.2.1 (GNU/Linux)

- - -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Apache for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
Version: PGP 8.0