TUCoPS :: Web :: Apache :: o-015.txt

Apache HTTP Server 2.0.48 Release Fixes Security Vulnerabilities (CIAC O-015)


                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

        Apache HTTP Server 2.0.48 Release Fixes Security Vulnerabilities
                            [Apache 2.0.48 Released]

October 29, 2003 19:00 GMT                                        Number O-015
PROBLEM:       There exist two security vulnerabilities: 

               1) mod_cgid mishandling of CGI redirect paths could result in 
               CGI output going to the wrong client when a threaded Multi-
               processing Module (MPM) is used. 
               2) A buffer overflow could occur in mod_alias and mod_rewrite 
               when a regular expression with more than 9 captures is configured. 
PLATFORM:      Apache 2.0.47 
DAMAGE:        1) Information for one user could be directed to another. 
               2) A buffer overflow could cause a system crash or be used to take 
               control of a system. 
SOLUTION:      Upgrade to Apache 2.0.48. 
VULNERABILITY  The risk is LOW. The first problem is unlikely to expose a 
ASSESSMENT:    system to additional compromise. For the second problem, a 
               mod_rewrite regular expression is unlikely to be configured to 
               have more than 9 captures. 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-015.shtml 
 ORIGINAL BULLETIN:  http://www.apache.org/dist/httpd/Announcement2.html 
 CVE/CAN:            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2003-0789 CVE-2003-0542 
[***** Start Apache 2.0.48 Released *****]

Apache HTTP Server 2.0.48 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to 
announce the eleventh public release of the Apache 2.0 HTTP Server. This Announcement 
notes the significant changes in 2.0.48 as compared to 2.0.47.

This version of Apache is principally a bug fix release. A summary of the bug fixes 
is given at the end of this document. Of particular note is that 2.0.48 addresses two 
security vulnerabilities:

mod_cgid mishandling of CGI redirect paths could result in CGI output going to the 
wrong client when a threaded MPM is used.

A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression 
with more than 9 captures is configured.

This release is compatible with modules compiled for 2.0.42 and later versions. We 
consider this release to be the best version of Apache available and encourage users 
of all prior versions to upgrade.

Apache 2.0.48 is available for download from

Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.

Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 
1.3 codebase. For an overview of new features introduced after 1.3 please see


When upgrading or installing this version of Apache, please keep in mind the following:

If you intend to use Apache with one of the threaded MPMs, you must ensure that the 
modules (and the libraries they depend on) that you will be using are thread-safe. 
Please contact the vendors of these modules to obtain this information.

Apache 2.0.48 Major changes

Security vulnerabilities closed since Apache 2.0.47

* SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket 
  used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] 
* SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which 
  occurred if one configured a regular expression with more than 9 captures. [André 

Bugs fixed and features added since Apache 2.0.47

* mod_include: fix segfault which occured if the filename was not set, for example, 
  when processing some error conditions. PR 23836. [Brian Akins <bakins@web.turner.com>, 
  André Malo] 
* fix the config parser to support <Foo>..</Foo> containers (no arguments in the opening 
  tag) supported by httpd 1.3. Without this change mod_perl 2.0's <Perl> sections are 
  broken. ["Philippe M. Chiasson" <gozer@cpan.org>] 
* mod_cgid: fix a hash table corruption problem which could result in the wrong script 
  being cleaned up at the end of a request. [Jeff Trawick] 
* Update httpd-*.conf to be clearer in describing the connection between AddType and 
  AddEncoding for defining the meaning of compressed file extensions. [Roy Fielding] 
* mod_rewrite: Don't die silently when failing to open RewriteLogs. PR 23416. [André 
* mod_rewrite: Fix mod_rewrite's support of the [P] option to send rewritten request 
  using "proxy:". The code was adding multiple "proxy:" fields in the rewritten URI. 
  PR: 13946. [Eider Oliveira <eider@bol.com.br>] 
* cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and expires as 
  directed in RFC 2616. [Thomas Castelle <tcastelle@generali.fr>] 
* Ensure that ssl-std.conf is generated at configure time, and switch to using the 
  expanded config variables to work the same as httpd-std.conf PR: 19611 [Thom May] 
* mod_ssl: Fix segfaults after renegotiation failure. PR 21370 [Hartmut Keil <Hartmut.
* mod_autoindex: If a directory contains a file listed in the DirectoryIndex directive, 
  the folder icon is no longer replaced by the icon of that file. PR 9587. [David Shane 
  Holden <dpejesh@yahoo.com>] 
* Fixed mod_usertrack to not get false positive matches on the user-tracking cookie's 
  name. PR 16661. [Manni Wood <manniwood@planet-save.com>] 
* mod_cache: Fix the cache code so that responses can be cached if they have an Expires 
  header but no Etag or Last-Modified headers. PR 23130. [bjorn@exoweb.net] 
* mod_log_config: Fix %b log format to write really "-" when 0 bytes were sent (e.g. 
  with 304 or 204 response codes). [Astrid Keßler] 
* Modify ap_get_client_block() to note if it has seen EOS. [Justin Erenkrantz] 
* Fix a bug, where mod_deflate sometimes unconditionally compressed the content if the 
  Accept-Encoding header contained only other tokens than "gzip" (such as "deflate"). 
  PR 21523. [Joe Orton, André Malo] 
* Avoid an infinite recursion, which occured if the name of an included config file or 
  directory contained a wildcard character. PR 22194. [André Malo] 
* mod_ssl: Fix a problem setting variables that represent the client certificate chain. 
  PR 21371 [Jeff Trawick] 
* Unix: Handle permissions settings for flock-based mutexes in unixd_set_global|proc_
  mutex_perms(). Allow the functions to be called for any type of mutex. PR 20312 [Jeff 
* ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick] 
* Fix a misleading message from the some of the threaded MPMs when MaxClients has to be 
  lowered due to the setting of ServerLimit. [Jeff Trawick] 
* Lower the severity of the "listener thread didn't exit" message to debug, as it is of 
  interest only to developers. PR 9011 [Jeff Trawick] 
* MPMs: The bucket brigades subsystem now honors the MaxMemFree setting. [Cliff Woolley, 
  Jean-Jacques Clar] 
* Install config.nice into the build/ directory to make minor version upgrades easier. 
  [Joshua Slive] 
* Fix mod_deflate so that it does not call deflate() without checking first whether it 
  has something to deflate. (Currently this causes deflate to generate a fatal error 
  according to the zlib spec.) PR 22259. [Stas Bekman] 
* mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an identity spoof is 
  encountered. [Sander Striker] 
* mod_rewrite: Ignore RewriteRules in .htaccess files if the directory containing the 
  .htaccess file is requested without a trailing slash. PR 20195. [André Malo] 
* ab: Overlong credentials given via command line no longer clobber the buffer. [André 
* mod_deflate: Don't attempt to hold all of the response until we're done. [Justin 
* Assure that we block properly when reading input bodies with SSL. PR 19242. [David 
  Deaves <David.Deaves@dd.id.au>, William Rowe] 
* Update mime.types to include latest IANA and W3C types. [Roy Fielding] 
* mod_ext_filter: Set additional environment variables for use by the external filter. 
  PR 20944. [Andrew Ho, Jeff Trawick] 
* Fix buildconf errors when libtool version changes. [Jeff Trawick] 
* Remember an authenticated user during internal redirects if the redirection target is 
  not access protected and pass it to scripts using the REDIRECT_REMOTE_USER environment 
  variable. PR 10678, 11602. [André Malo] 
* mod_include: Fix a trio of bugs that would cause various unusual sequences of parsed 
  bytes to omit portions of the output stream. PR 21095. [Ron Park <ronald.park@cnet.com>, 
  André Malo, Cliff Woolley] 
* Update the header token parsing code to allow LWS between the token word and the ':' 
  seperator. [PR 16520] [Kris Verbeeck <kris.verbeeck@advalvas.be>, Nicel KM <mnicel@yahoo.
* Eliminate creation of a temporary table in ap_get_mime_headers_core() [Joe Schaefer 
* Added FreeBSD directory layout. PR 21100. [Sander Holthaus <info@orangexl.com>, André 
* Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP response. PR 21085. 
  [Glenn Nielsen <glenn@apache.org>, André Malo] 
* mod_rewrite: Perform child initialization on the rewrite log lock. This fixes a log 
  corruption issue when flock-based serialization is used (e.g., FreeBSD). [Jeff Trawick] 
* Don't respect the Server header field as set by modules and CGIs. As with 1.3, for proxy 
  requests any such field is from the origin server; otherwise it will have our server info 
  as controlled by the ServerTokens directive. [Jeff Trawick] 

[***** End Apache 2.0.48 Released *****]

CIAC wishes to acknowledge the contributions of Apache for the 
information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

O-005: Microsoft Exchange Server Vulnerabilities
O-006: Microsoft Authenticode Verification Vulnerability
O-007: Microsoft Windows Help and Support Center Buffer Overrun Vulnerability
O-008: Microsoft Troubleshooter ActiveX Control Buffer Overflow Vulnerability
O-009: Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities
O-010: Microsoft Exchange Server 5.5 Outlook Web Access Vulnerability
O-011: Sun Vulnerability in Solaris "AnswerBOok2 Documentation" Admin Script
O-012: Sun Vulnerability in Solaris "AnswerBOok2 Documentation" Server Daemon
O-013: Buffer Overflow in Oracle Binary
O-014: SGI Wildcard Exportfs Issue in Network File SYstem (NFS)

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH