-BEGIN PGP SIGNED MESSAGE-
For Immediate Disclosure
=== SUMMARY
Title: Apache 2.0 vulnerability affects non-Unix platforms
Date: 9th August 2002
Version: 1
Product Name: Apache web server 2.0
OS/Platform: Windows, OS2, Netware
Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
Vendor Name: Apache Software Foundation
Vendor URL: http://www.apache.org/
Affects: All Released versions of 2.0 through 2.0.39
Fixed in: 2.0.40
Identifiers: CAN-2002-0661
=== BACKGROUND
Apache is a powerful, full-featured, efficient, and freely-available Web
server. On the 7th August 2002, The Apache Software Foundation was
notified of the discovery of a significant vulnerability, identified by
Auriemma Luigi [EMAIL PROTECTED].
This vulnerability has the potential to allow an attacker to inflict
serious damage to a server, and reveal sensitive data. This vulnerability
affects default installations of the Apache web server.
Unix and other variant platforms appear unaffected. Cygwin users are
likely to be affected.
A simple one line workaround in the httpd.conf file will close the
vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add
the following directive to the global server configuration:
RedirectMatch 400 \\\.\.
Fixes for this vulnerability are also included in Apache version 2.0.40.
Apache 2.0.40 also contains some less serious security fixes.
More information will be made available by the Apache Software
Foundation and Auriemma Luigi [EMAIL PROTECTED] in the
coming weeks.
=== REFERENCES
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0661 to this issue.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQCVAwUBPVQBxu6tTP1JpWPZAQHCwAP9HVzSAMMrXadmRdPfEe9eFUKOxpQA4v8d
mKrLciDXnVpPlaKc7/1OHUcCwPu0IucHGUN5sF93Dw3X2BKoAjJFHnmS123r/CP6
WnHAaM+Hl17pPVxI3dXJXbiDvmpBB6b9SNCrsmf0RLykLHVZqoekOh2902Y7+Fts
NpKuwE7xzdA=
=mEuL
-END PGP SIGNATURE-
