TUCoPS :: Web :: Apache :: n-099.txt

Apache 2.0.46 Release Fixes Security Vulnerabilities (CIAC N-099)


                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

              Apache 2.0.46 Release Fixes Security Vulnerabilities
                            [Apache 2.0.46 Released]

May 29, 2003 12:00 GMT                                            Number N-099
PROBLEM:       There exist two security vulnerabilities: 
	       1) Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to 
	       crash in certain circumstances. This can be triggered remotely 
	       through mod_dav and possibly other mechanisms. 
	       2) Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms 
	       were vulnerable to a denial-of-service attack on the basic 
	       authentication module. 
SOFTWARE:      Apache 2.0 versions 2.0.37 through 2.0.45
DAMAGE:        Remotely crash Apache or cause a denial-of-service attack. 
SOLUTION:      Upgrade to Apache 2.0.46 
VULNERABILITY  The risk is MEDIUM. These vulnerabilities may cause a 
ASSESSMENT:    denial-of-service. 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-099.shtml 
 ORIGINAL BULLETIN:  http://www.apache.org/dist/httpd/Announcement2.html 
 PATCHES:            http://httpd.apache.org/download.cgi 

[***** Start Apache 2.0.46 Released *****]

Apache 2.0.46 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased 
to announce the ninth public release of the Apache 2.0 HTTP Server. This 
Announcement notes the significant changes in 2.0.46 as compared to 2.0.45.

This version of Apache is principally a security and bug fix release. A summary 
of the bug fixes is given at the end of this document. Of particular note is 
that 2.0.46 addresses two security vulnerabilities:

Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in certain 
circumstances. This can be triggered remotely through mod_dav and possibly 
other mechanisms. The crash was originally reported by David Endler 
<DEndler@iDefense.com> and was researched and fixed by Joe Orton 
<jorton@redhat.com>. Specific details and an analysis of the crash will be 
published Friday, May 30. No more specific information is disclosed at this 
time, but all Apache 2.0 users are encouraged to upgrade now.

Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were vulnerable 
to a denial-of-service attack on the basic authentication module, which was 
reported by John Hughes <john.hughes@entegrity.com>. A bug in the configuration 
scripts caused the apr_password_validate() function to be thread-unsafe on 
platforms with crypt_r(), including AIX and Linux. All versions of Apache 2.0 
have this thread-safety problem on platforms with no crypt_r() and no 
thread-safe crypt(), such as Mac OS X and possibly others. When using a 
threaded MPM (which is not the default on these platforms), this allows 
remote attackers to create a denial of service which causes valid usernames 
and passwords for Basic Authentication to fail until Apache is restarted. We 
do not believe this bug could allow unauthorized users to gain access to 
protected resources.

The Apache Software Foundation would like to thank David Endler and John Hughes 
for the responsible reporting of these issues.

This release is compatible with modules compiled for 2.0.42 and later versions. 
We consider this release to be the best version of Apache available and 
encourage users of all prior versions to upgrade.

Apache 2.0.46 is available for download from

Please see the CHANGES_2.0 file, linked from the above page, for a full list 
of changes.

Apache 2.0 offers numerous enhancements, improvements, and performance boosts 
over the 1.3 codebase. For an overview of new features introduced after 1.3 
please see


When upgrading or installing this version of Apache, please keep in mind the 

If you intend to use Apache with one of the threaded MPMs, you must ensure that 
the modules (and the libraries they depend on) that you will be using are 
thread-safe. Please contact the vendors of these modules to obtain this 

Apache 2.0.46 Major changes

Security vulnerabilities closed since Apache 2.0.45

* SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered remotely through 
  mod_dav and possibly other mechanisms, causing an Apache child process to crash. 
  The crash was first reported by David Endler <DEndler@iDefense.com> and was 
  researched and fixed by Joe Orton <jorton@redhat.com>. Details will be released 
  on 30 May 2003. 

* SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability affecting 
  basic authentication on Unix platforms related to thread-safety in 
  apr_password_validate(). The problem was reported by John Hughes 

Bugs fixed and features added since Apache 2.0.45

* Fix for mod_dav. Call the 'can_be_activity' callback, if provided, when a 
  MKACTIVITY request comes in. [Ben Collins-Sussman <sussman@collab.net>] 
* Perform run-time query in apxs for apr and apr-util's includes. 
  [Justin Erenkrantz] 
* run libtool from the apr install directory (in case that is different from the 
  apache install directory) [Jeff Trawick] 
* configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez] 
* If mod_mime_magic does not know the content-type, do not attempt to guess. 
  PR 16908. [Andrew Gapon <agapon@telcordia.com>] 
* ssl session caching(shmht) : Fix a SEGV problem with SHMHT session caching. 
  PR 17864. [Andreas Leimbacher <andreasl67@yahoo.de>, Madhusudan Mathihalli] 
* Add a delete flag to htpasswd. [Thom May] 
* Fix mod_rewrite's handling of absolute URIs. The escaping routines now work 
  scheme dependent and the query string will only be appended if supported by the 
  particular scheme. [André Malo] 
* Add another check for already compressed content in mod_deflate. PR 19913. 
  [Tsuyoshi SASAMOTO <nazonazo@super.win.ne.jp>] 
* Fixes for VPATH builds; copying special.mk and any future .mk files from the 
  source tree as well as the build tree (now creates a usable configuration for 
  apxs), and eliminated redundant -I'nclude paths. [William Rowe] 
* Code fixes, constness corrections and ssl_toolkit_compat.h updates for SSLC and 
  OpenSSL toolkit compatibility. Still work remains to be done to cripple features 
  based on the limitations of RSA's binary distribution of their SSL-C toolkit. 
  [William Rowe, Madhusudan Mathihalli, Jeff Trawick] 
* Linux 2.4+: If Apache is started as root and you code CoreDumpDirectory, coredumps 
  are enabled via the prctl() syscall. [Greg Ames] 
* ap_get_mime_headers_core: allocate space for the trailing null when folding is in 
  effect. PR 18170 [Peter Mayne <PeterMayne@SPAM_SUX.ap.spherion.com>] 
* Fix --enable-mods-shared=most and other variants. [Aaron Bannert] 
* mod_log_config: Add the ability to log the id of the thread processing the request 
  via new %P formats. [Jeff Trawick] 
* Use appropriate language codes for Czech (cs) and Traditional Chinese (zh-tw) in 
  default config files. PR 9427. [André Malo] 
* mod_auth_ldap: Use generic whitespace character class when parsing "require" 
  directives, instead of literal spaces only. PR 17135. [André Malo] 
* Hook mod_rewrite's type checker before mod_mime's one. That way the RewriteRule 
  [T=...] Flag should work as expected now. PR 19626. [André Malo] 
* htpasswd: Check the processed file on validity. If a line is not empty and not a 
  comment, it must contain at least one colon. Otherwise exit with error code 7. 
  [Kris Verbeeck <Kris.Verbeeck@ubizen.com>, Thom May] 
* Fix a problem that caused httpd to be linked with incorrect flags on some platforms 
  when mod_so was enabled by default, breaking DSOs on AIX. PR 19012 [Jeff Trawick] 
* By default, use the same CC and CPP with which APR was built. The user can override 
  with CC and CPP environment variables. [Jeff Trawick] 
* Fix ap_construct_url() so that it surrounds IPv6 literal address strings with []. 
  This fixes certain types of redirection. PR 19207. [Jeff Trawick] 
* forward port of buffer overflow fixes for htdigest. [Thom May] 
* Added AllowEncodedSlashes directive to permit control of whether the server will 
  accept encoded slashes ('%2f') in the URI path. Default condition is off (the 
  historical behaviour). This permits environments in which the path-info needs to 
  contain encoded slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639. [Ken Coar] 
* When using Redirect in directory context, append requested query string if there's no 
  one supplied by configuration. PR 10961. [André Malo] 
* Unescape the supplied wildcard pattern in mod_autoindex. Otherwise the pattern will 
  not always match as desired. PR 12596. [André Malo] 
* mod_autoindex now emits and accepts modern query string parameter delimiters (;). 
  Thus column headers no longer contain unescaped ampersands. PR 10880 [André Malo] 
* Enable ap_sock_disable_nagle for Windows. This along with the addition of 
  APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle to be disabled for Windows. 
  [Allan Edwards] 
* Correct a mis-correlation between mpm_common.c and mpm_common.h; This patch reverts 
  us to pre-2.0.46 behavior, using the ap_sock_disable_nagle noop macro, because 
  ap_sock_disable_nagle was never compiled on Win32. [Allan Edwards, William Rowe] 
* Fix a build problem with passing unsupported --enable-layout args to apr and apr-util. 
  This broke binbuild.sh as well as user-specified layout parameters. PR 18649 
  [Justin Erenkrantz, Jeff Trawick] 
* If a Date response header was already set in the headers array, this value was ignored 
  in favour of the current time. This meant that Date headers on proxied requests where 
  rewritten when they should not have been. PR: 14376 [Graham Leggett] 
* Add code to buildconf that produces an httpd.spec file from httpd.spec.in, using 
  build/get-version.sh from APR. [Graham Leggett] 
* Fixed a segfault when multiple ProxyBlock directives were used. PR: 19023 
  [Sami Tikka <sami.tikka@f-secure.com>] 
* SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability identified and 
  reported by Robert Howard <rihoward@rawbw.com> that where device names faulted the 
  running OS2 worker process. The fix is actually in APR 0.9.4. [Brian Havard] 
* Forward port: Escape special characters (especially control characters) in 
  mod_log_config to make a clear distinction between client-supplied strings (with 
  special characters) and server-side strings. This was already introduced in 
  version 1.3.25. [André Malo] 
* mod_deflate: Check also err_headers_out for an already set Content-Encoding: gzip 
  header. This prevents gzip compressed content from a CGI script from being compressed 
  once more. PR 17797. [André Malo] 

[***** End Apache 2.0.46 Released *****]


CIAC wishes to acknowledge the contributions of Apache Software Foundation for 
the information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N089: Red Hat MySQL Vulnerabilities
N-090: Red Hat mod_auth_any Vulnerabilities
N-091: Sun Cobalt PHP SafeMode Vulnerability
N-092: Microsoft Flaw in Windows Media Player Skins 
N-093: Cisco VPN 3000 Concentrator Vulnerabilities
N-094: HP Potential Security Vulnerability in wall(1M)
N-095: Red Hat Multiple Vulnerabilities in KDE
N-096: Red Hat New Kernel Fixes Local Security Issues
N-097: Red Hat Updated Tcpdump Packages
N-098: Microsoft Cumulative Patch for Internet Information Service (IIS)

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH