Apache Fixes Bugs in Server Upgrade

Zardon · Oct 6, 2002, 01:09 PM

The Apache Software Foundation and The Apache Server Project on Thursday released Version 1.3.27 of its popular Web server software, an upgrade that includes fixes to three security vulnerabilities.

The new Apache HTTP server was described as principally a security and bug-fix release. It plugs a hole that exists in all versions of Apache prior to 1.3.27 on platforms using System V shared memory based scoreboards.

That vulnerability allows an attacker to execute code under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial-of-service (define) attack.

Another bug that made Apache susceptible to a cross site scripting vulnerability in the default 404 page of any Web server hosted on a domain that allows wildcard DNS lookups was also secure.

The Apache Foundation said some possible overflows in ab.c, which could be exploited by a malicious server, were also fixed. The new server release also includes new features that offer "substantial improvements" over version 1.2, the Apache Foundation said, upgrades that include better performance, reliability and an expansion of supported platforms, including Windows NT and 2000 (which fall under the "Win32" label), OS2, Netware, and TPE threaded platforms.

It has been fitted with a new ErrorHeader directive and configuration file globbing that can now use simple pattern matching. Apache has also made the protocol version (eg: HTTP/1.1) in the request line parsing case-insensitive, a key upgrade over previous versions.

Other highlights include:
ap_snprintf() can now distinguish between an output which was truncated, and an output which exactly filled the buffer.

Add ProtocolReqCheck directive, which determines if Apache will check for a valid protocol string in the request (eg: HTTP/1.1) and return HTTP_BAD_REQUEST if not valid. Versions of Apache prior to 1.3.26 would silently ignore bad protocol strings, but 1.3.26 included a more strict check. This makes it runtime configurable.

Added support for Berkeley-DB/4.x to mod_auth_db.

httpd -V will now also print out the compile time defined HARD_SERVER_LIMIT value.
On specific platforms, new features in the upgrade include support for Caldera OpenUNIX 8 and the ability to use SysV semaphores by default on OpenBSD. It also implements file locking in mod_rewrite for the NetWare CLib platform.

The Foundation said several minor bugs found in Apache 1.3.26 (or earlier), including mod_proxy fixes, have been included in Apache 1.3.27.

Separately, the Jakarta Ant-Dev has released Version 1.5.1 of Apache Ant, a Java-based build tool that allows full portability of pure Java code.

http://jakarta.apache.org/builds/jak...elease/v1.5.1/

Oct 6, 2002, 01:09 PM	#1
Zardon DriverHeaven Founder Join Date: May 2002 Posts: 32,480 Rep Power: 179	Apache Fixes Bugs in Server Upgrade The Apache Software Foundation and The Apache Server Project on Thursday released Version 1.3.27 of its popular Web server software, an upgrade that includes fixes to three security vulnerabilities. The new Apache HTTP server was described as principally a security and bug-fix release. It plugs a hole that exists in all versions of Apache prior to 1.3.27 on platforms using System V shared memory based scoreboards. That vulnerability allows an attacker to execute code under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial-of-service (define) attack. Another bug that made Apache susceptible to a cross site scripting vulnerability in the default 404 page of any Web server hosted on a domain that allows wildcard DNS lookups was also secure. The Apache Foundation said some possible overflows in ab.c, which could be exploited by a malicious server, were also fixed. The new server release also includes new features that offer "substantial improvements" over version 1.2, the Apache Foundation said, upgrades that include better performance, reliability and an expansion of supported platforms, including Windows NT and 2000 (which fall under the "Win32" label), OS2, Netware, and TPE threaded platforms. It has been fitted with a new ErrorHeader directive and configuration file globbing that can now use simple pattern matching. Apache has also made the protocol version (eg: HTTP/1.1) in the request line parsing case-insensitive, a key upgrade over previous versions. Other highlights include: ap_snprintf() can now distinguish between an output which was truncated, and an output which exactly filled the buffer. Add ProtocolReqCheck directive, which determines if Apache will check for a valid protocol string in the request (eg: HTTP/1.1) and return HTTP_BAD_REQUEST if not valid. Versions of Apache prior to 1.3.26 would silently ignore bad protocol strings, but 1.3.26 included a more strict check. This makes it runtime configurable. Added support for Berkeley-DB/4.x to mod_auth_db. httpd -V will now also print out the compile time defined HARD_SERVER_LIMIT value. On specific platforms, new features in the upgrade include support for Caldera OpenUNIX 8 and the ability to use SysV semaphores by default on OpenBSD. It also implements file locking in mod_rewrite for the NetWare CLib platform. The Foundation said several minor bugs found in Apache 1.3.26 (or earlier), including mod_proxy fixes, have been included in Apache 1.3.27. Separately, the Jakarta Ant-Dev has released Version 1.5.1 of Apache Ant, a Java-based build tool that allows full portability of pure Java code. http://jakarta.apache.org/builds/jak...elease/v1.5.1/