107385 2003-07-09 18:44 /125 rader/ Apache HTTP Server Project <striker@apache.org>
Importerad: 2003-07-09 18:44 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5472>
Ärende: [ANNOUNCE][SECURITY] Apache 2.0.47 released
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Apache 2.0.47 Released
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the tenth public release of the Apache 2.0
HTTP Server. This Announcement notes the significant changes in
2.0.47 as compared to 2.0.46.
This version of Apache is principally a security and bug fix
release. A summary of the bug fixes is given at the end of this
document. Of particular note is that 2.0.47 addresses four
security vulnerabilities:
Certain sequences of per-directory renegotiations and the
SSLCipherSuite directive being used to upgrade from a weak
ciphersuite to a strong one could result in the weak ciphersuite
being used in place of the strong one.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192]
Certain errors returned by accept() on rarely accessed ports could
cause temporal denial of service, due to a bug in the prefork MPM.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0253]
Denial of service was caused when target host is IPv6 but ftp proxy
server can't create IPv6 socket.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0254]
The server would crash when going into an infinite loop due to too
many subsequent internal redirects and nested subrequests.
[VU#379828]
The Apache Software Foundation would like to thank Saheed Akhtar
and Yoshioka Tsuneo for the responsible reporting of two of these
issues.
This release is compatible with modules compiled for 2.0.42 and
later versions. We consider this release to be the best version
of Apache available and encourage users of all prior versions to
upgrade.
Apache 2.0.47 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and
performance boosts over the 1.3 codebase. For an overview of new
features introduced after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.
Apache 2.0.47 Major changes
Security vulnerabilities closed since Apache 2.0.46
*) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the
strong one. [Ben Laurie]
*) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
temporary denial of service when accept() on a rarely accessed port
returns certain errors. Reported by Saheed Akhtar
<S.Akhtar@talis.com>. [Jeff Trawick]
*) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
of service when target host is IPv6 but proxy server can't create
IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo
<tsuneo.yoshioka@f-secure.com>]
*) SECURITY [VU#379828] Prevent the server from crashing when entering
infinite loops. The new LimitInternalRecursion directive configures
limits of subsequent internal redirects and nested subrequests, after
which the request will be aborted. PR 19753 (and probably others).
[William Rowe, Jeff Trawick, André Malo]
Bugs fixed and features added since Apache 2.0.46
*) core_output_filter: don't split the brigade after a FLUSH bucket if
it's the last bucket. This prevents creating unneccessary empty
brigades which may not be destroyed until the end of a keepalive
connection.
[Juan Rivera <Juan.Rivera@citrix.com>]
*) Add support for "streamy" PROPFIND responses.
[Ben Collins-Sussman <sussman@collab.net>]
*) mod_cgid: Eliminate a double-close of a socket. This resolves
various operational problems in a threaded MPM, since on the
second attempt to close the socket, the same descriptor was
often already in use by another thread for another purpose.
[Jeff Trawick]
*) mod_negotiation: Introduce "prefer-language" environment variable,
which allows to influence the negotiation process on request basis
to prefer a certain language. [André Malo]
*) Make mod_expires' ExpiresByType work properly, including for
dynamically-generated documents. [Ken Coar, Bill Stoddard]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/C2DDZjW2wN6IXdMRAm9BAKCBj7KgdN8sLTZpUFu5aVJTjyEJlQCePz3Y
QF51aRaqbVdSwZYxalnSC+Y=
=2mza
-----END PGP SIGNATURE-----
(107385) /Apache HTTP Server Project <striker@apache.org>/(Ombruten)
107390 2003-07-09 19:32 /77 rader/ Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Importerad: 2003-07-09 19:32 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5476>
Ärende: [SNS Advisory No.66] Apache HTTP Server v2 Causes a DoS When Parsing a Type-Map File
------------------------------------------------------------
----------------------------------------------------------------------
SNS Advisory No.66
Apache HTTP Server v2 Causes a DoS When Parsing a Type-Map File
Problem first discovered on: Thu, 26 Dec 2002
Published on: Wed, 09 Jul 2003
Reference: http://www.lac.co.jp/security/english/snsadv_e/66_e.html
----------------------------------------------------------------------
Overview:
---------
Apache versions prior to 2.0.47 contain a locally exploitable DoS
condition.
Problem Description:
--------------------
Apache HTTP Server v2 supports a content negotiation functionality,
which can provide the best resources based on the browser-supplied
preferences for media type, languages, character set and encoding.
The type-map file is one of the methods used for resources
negotiation.
A local attacker can trigger an infinite loop and deplete the
system's resources by causing the Apache HTTP Server to parse a
malicious type-map file. Consequently, local exploitation can
result in a denial of service condition.
Tested Versions:
----------------
Apache 2.0.43
Apache 2.0.44
Apache 2.0.45
Apache 2.0.46
�$BBP:v�(B:
-----
This vulnerability can be eliminated by upgrading to Apache 2.0.47.
The Apache HTTP Server Project:
http://httpd.apache.org/
Discovered by:
--------------
Keigo Yamazaki
Acknowledgements:
-----------------
Thanks to:
Apache Software Foundation http://www.apache.org/
CERT Coordination Center http://www.cert.org/
JPCERT Coordination Center http://www.jpcert.or.jp/
Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd. shall
take no responsibility for any problems, loss or damage caused by, or by
the use of information provided here.
This advisory can be found at the following URL:
http://www.lac.co.jp/security/english/snsadv_e/66_e.html
------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
(107390) /Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>/(Ombruten)