[Please upgrade if you use Apache 2.0.x on any platform -- Raju]
This is an RFC 1153 digest.
(1 message)
--
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: 8BIT
Message-ID: [EMAIL PROTECTED]
From: Apache HTTP Server Project [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: [Full-Disclosure] [SECURITY] [ANNOUNCE] Apache 2.0.46 released
Date: Wed, 28 May 2003 12:29:03 -0400 (EDT)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Apache 2.0.46 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the ninth public release of the Apache 2.0
HTTP Server. This Announcement notes the significant changes in
2.0.46 as compared to 2.0.45.
This version of Apache is principally a security and bug fix release.
A summary of the bug fixes is given at the end of this document.
Of particular note is that 2.0.46 addresses two security
vulnerabilities:
Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
certain circumstances. This can be triggered remotely through mod_dav
and possibly other mechanisms. The crash was originally reported by
David Endler [EMAIL PROTECTED] and was researched and fixed by
Joe Orton [EMAIL PROTECTED]. Specific details and an analysis of the
crash will be published Friday, May 30. No more specific information
is disclosed at this time, but all Apache 2.0 users are encouraged to
upgrade now.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]
Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
vulnerable to a denial-of-service attack on the basic authentication
module, which was reported by John Hughes [EMAIL PROTECTED].
A bug in the configuration scripts caused the apr_password_validate()
function to be thread-unsafe on platforms with crypt_r(), including
AIX and Linux. All versions of Apache 2.0 have this thread-safety
problem on platforms with no crypt_r() and no thread-safe crypt(),
such as Mac OS X and possibly others. When using a threaded MPM (which
is not the default on these platforms), this allows remote attackers
to create a denial of service which causes valid usernames and
passwords for Basic Authentication to fail until Apache is restarted.
We do not believe this bug could allow unauthorized users to gain
access to protected resources.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]
The Apache Software Foundation would like to thank David Endler
and John Hughes for the responsible reporting of these issues.
This release is compatible with modules compiled for 2.0.42 and later
versions. We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.
Apache 2.0.46 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.
Apache 2.0.46 Major changes
Security vulnerabilities closed since Apache 2.0.45
*) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered
remotely through mod_dav and possibly other mechanisms, causing
an Apache child process to crash. The crash was first reported
by David Endler [EMAIL PROTECTED] and was researched and
fixed by Joe Orton [EMAIL PROTECTED]. Details will be released
on 30 May 2003.
*) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
affecting basic authentication on Unix platforms related to
thread-safety in apr_password_validate(). The problem was reported
by John Hughes [EMAIL PROTECTED]
Bugs fixed and features added since Apache 2.0.45
*) Fix for mod_dav. Call the 'can_be_activity' callback, if provided,
when a MKACTIVITY request comes in.
[Ben Collins-Sussman [EMAIL PROTECTED]]
*) Perform run-time query in apxs for apr and apr-util's includes.
[Justin Erenkrantz]
*) run libtool from the apr install directory (in case that is different
from the apache install directory) [Jeff Trawick]
*) configure.in: