This is a security fix release for those using apache in Cygwin
environments!
<quote>
Date: Fri, 9 Aug 2002 22:07:52 +0100 (BST)
From: Mark J Cox <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],
Full Disclosure <[EMAIL PROTECTED]>,
Vuln-Dev <[EMAIL PROTECTED]>
Subject: [Full-Disclosure] Apache 2.0 vulnerability affects non-Unix
platforms
-----BEGIN PGP SIGNED MESSAGE-----
For Immediate Disclosure
=============== SUMMARY ================
Title: Apache 2.0 vulnerability affects non-Unix platforms
Date: 9th August 2002
Revision: 2
Product Name: Apache HTTP server 2.0
OS/Platform: Windows, OS2, Netware
Permanent URL:
http://httpd.apache.org/info/security_bulletin_20020809a.txt
Vendor Name: Apache Software Foundation
Vendor URL: http://httpd.apache.org/
Affects: All Released versions of 2.0 through 2.0.39
Fixed in: 2.0.40
Identifiers: CAN-2002-0661
=============== DESCRIPTION ================
Apache is a powerful, full-featured, efficient, and freely-available Web
server. On the 7th August 2002, The Apache Software Foundation was
notified of the discovery of a significant vulnerability, identified by
Auriemma Luigi <[EMAIL PROTECTED]>.
This vulnerability has the potential to allow an attacker to inflict
serious damage to a server, and reveal sensitive data. This vulnerability
affects default installations of the Apache web server.
Unix and other variant platforms appear unaffected. Cygwin users are
likely to be affected.
=============== SOLUTION ================
A simple one line workaround in the httpd.conf file will close the
vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add
the following directive to the global server configuration:
RedirectMatch 400 "\\\.\."
Fixes for this vulnerability are also included in Apache HTTP server
version 2.0.40. The 2.0.40 release also contains fixes for two minor
path-revealing exposures. This release of Apache is available at
http://www.apache.org/dist/httpd/
</quote and SNIP>
Thanks,
Ron DuFresne
On Fri, 9 Aug 2002, Cliff Woolley wrote:
> On Fri, 9 Aug 2002, Cliff Woolley wrote:
>
> > That's what I get for not reading all of my email before responding to
> > any of it. 0.9.6g was also released today. Sigh. :)
>
> I guess today was the day for releases. Apache 2.0.40 is now out as well.
>
> --Cliff
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
