Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache httpd 2.0.51 Released

Posted by timothy on from the now-with-more-patch dept.

djh101010 writes "apache.org has announced version 2.0.51 of their webserver, which is a bug-fix (rather than a feature) release. There are 5 security vulnerabilities addressed by this release, so if you're using mod_ssl, IPv6, or a couple other things, it's worth taking a look at what was fixed."

15 comments

  1. mod_perl by embobo · · Score: 4, Interesting

    Is mod_perl 2.0 ready for prime time yet? Last time I checked--a few months ago--the core was there but the mp 1.x emulation didn't work very well and some important modules, e.g., Apache::AuthCookie weren't ported yet. I went back to 1.x.

    1. Re:mod_perl by djh101010 · · Score: 3, Informative

      Can't speak to 2.0; I'm still using 1.99_16 myself, which seems to be playing nice with 2.0.50 and I assume 2.0.51 (building now).

    2. Re:mod_perl by aled · · Score: 1

      Do we still need to recompile mod_*s with each new apache release or is the ABI stable enough to carry the binaries on?

      --

      "I think this line is mostly filler"
    3. Re:mod_perl by Anonymous Coward · · Score: 2, Informative

      ABI is generally stable enough. Be careful about just replacing httpd / libhttpd.so though - because some of the security / bug fixes are in modules (or in libapr.so / libaprutil.so) and not the core.

      Third party modules should march happily on without being rebuilt.

      An obvious exception might be modperl which provides substantial coverage of entry points, constant #defines and other aspects of the core itself. It also relies on 'expected results' from alot of edge functions which weren't widely used (and therefore subject to bug fixes - e.g. behavior changes.) While not 100% necessary, it is certainly a good idea to rebuild modperl with each point bump.

  2. Vuln list; is Apache 1.3 effected as well? by molo · · Score: 5, Informative
    Here is the list of vulnerabilities. For more information (including a list of effected versions), see the Apache Week listing.

    Does anyone have any information about whether the mod_ssl DoS vuln effects Apache 1.3.x as well? Thanks. -molo


    An input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy.
    [CAN-2004-0786]

    A buffer overflow in configuration file parsing could allow a local user to gain the privileges of a httpd child if the server can be forced to parse a carefully crafted .htaccess file.
    [CAN-2004-0747]

    A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured.
    [CAN-2004-0751]

    A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort.
    [CAN-2004-0748]

    A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh request.
    [CAN-2004-0809]
    --
    Using your sig line to advertise for friends is lame.
    1. Re:Vuln list; is Apache 1.3 effected as well? by redwoodtree · · Score: 3, Informative

      Apache 1.3 uses mod_ssl as an "add_on" . Their home page is at http://www.modssl.org/ It's a different workflow than apache 2.0. I don't see any updates there, so I assume that as of _this point in time_ ssl on 1.3.x is not impacted.

  3. Significant Opera problem fixed by troon · · Score: 3, Informative

    I've yet to try it out, but this release claims to allow the administrator to unset the previously-mandatory Content-Location header added when mod_negotiation is in play.

    This "feature" triggered an Opera "feature" that made in-document fragment anchors fail on dynamically generated, URL-rewritten documents.

    Full description of the problem. Hopefully 2.0.51 means I don't need to fiddle with the Apache source any more: I'll update the problem page if so.

    --
    Ydco co ,df C erb-y go. a Ekrpat t.fxrapev
  4. Re:Significant Opera problem fixed: confirmation by troon · · Score: 2, Informative

    Yeah, it's fixed. You can now remove the Content-Location header, which works around the Opera "feature".

    Explanation page updated.

    --
    Ydco co ,df C erb-y go. a Ekrpat t.fxrapev
  5. Apache security documentation by Anonymous Coward · · Score: 1, Informative


    http://www.cgisecurity.com/webservers/apache/

  6. Sidenote on the bugfixes by agent+dero · · Score: 3, Informative

    Here at Texas A&M, IBM just gave a talk to our ULUG (Unix & Linux UG) about a project they use called "BogoSec" where they can get rough estimations of source security.

    The most drastic example of security problems was between vsftpd and wu-ftpd, but the presenter also showed some graphs for httpd 2.xxx releases, where the bugfix releases drastically improved the security.

    Hoorah for bugfix releases, they're always good.

    --
    Error 407 - No creative sig found
  7. No Windows / OS400 release yet by Anonymous Coward · · Score: 0

    No Windows or OS/400 release yet.

    I guess this is a *nix security issue(s) only?

    The OS/400 version probably isn't vulnerable. Is the Windows?

  8. apache 2.0.51 by pbranes · · Score: 1
    I've been running this version on a box for a few days now and haven't seen any performance issues or outstanding bugs, so I would really recommend everyone upgraded asap.

    blog

  9. Patch for Security Regression in Apache 2.0.51 by dananderson · · Score: 1
    There's a patch for the security regression in 2.0.51. See CAN-2004-0811 and Apache Week for 9/23/2004 Another Apache release 2.0.52 is coming down the pike to fix this and some minor issues.

    To quote ApacheWeek: One of the new features included in [Apache 2.0.51] is that a container can now be used to limit the effect of a Satisfy directive to specific methods. Unfortunately, a bug in the implementation meant that merging of Satisfy directives did not work correctly. The result was that if "Satisfy Any" was used, for example, in directory /foo/bar/, it could also take effect in the higher context, /foo/. If directory /foo/ also had access control configured, this could then be bypassed.

  10. Apache 2.0.52 now available by dananderson · · Score: 1
    Apache 2.0.52 is now available at Apache Mirrors, http://www.apache.org/dyn/closer.cgi/httpd/

    Apache 2.0.51 is not even available, as 2.0.52 fixes the 2.0.51 regression.

    BTW, I have a document about using PHP and Apache2 at http://dan.drydog.com/apache2php.html