Apache httpd 2.0.51 Released

djh101010 writes "apache.org has announced version 2.0.51 of their webserver, which is a bug-fix (rather than a feature) release. There are 5 security vulnerabilities addressed by this release, so if you're using mod_ssl, IPv6, or a couple other things, it's worth taking a look at what was fixed."

Vuln list; is Apache 1.3 effected as well?

[molo]

Here is the list of vulnerabilities. For more information (including a list of effected versions), see the Apache Week listing.

Does anyone have any information about whether the mod_ssl DoS vuln effects Apache 1.3.x as well? Thanks. -molo

An input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy.
[CAN-2004-0786]

A buffer overflow in configuration file parsing could allow a local user to gain the privileges of a httpd child if the server can be forced to parse a carefully crafted .htaccess file.
[CAN-2004-0747]

A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured.
[CAN-2004-0751]

A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort.
[CAN-2004-0748]

A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh request.
[CAN-2004-0809]

Re:Vuln list; is Apache 1.3 effected as well?

[redwoodtree]

Apache 1.3 uses mod_ssl as an "add_on" . Their home page is at http://www.modssl.org/ It's a different workflow than apache 2.0. I don't see any updates there, so I assume that as of _this point in time_ ssl on 1.3.x is not impacted.

Re:mod_perl

[djh101010]

Can't speak to 2.0; I'm still using 1.99_16 myself, which seems to be playing nice with 2.0.50 and I assume 2.0.51 (building now).

Significant Opera problem fixed

[troon]

I've yet to try it out, but this release claims to allow the administrator to unset the previously-mandatory Content-Location header added when mod_negotiation is in play.

This "feature" triggered an Opera "feature" that made in-document fragment anchors fail on dynamically generated, URL-rewritten documents.

Full description of the problem. Hopefully 2.0.51 means I don't need to fiddle with the Apache source any more: I'll update the problem page if so.

Re:Significant Opera problem fixed: confirmation

[troon]

Yeah, it's fixed. You can now remove the Content-Location header, which works around the Opera "feature".

Explanation page updated.

Apache security documentation

http://www.cgisecurity.com/webservers/apache/

Sidenote on the bugfixes

[agent+dero]

Here at Texas A&M, IBM just gave a talk to our ULUG (Unix & Linux UG) about a project they use called "BogoSec" where they can get rough estimations of source security.

The most drastic example of security problems was between vsftpd and wu-ftpd, but the presenter also showed some graphs for httpd 2.xxx releases, where the bugfix releases drastically improved the security.

Hoorah for bugfix releases, they're always good.

Re:mod_perl

ABI is generally stable enough. Be careful about just replacing httpd / libhttpd.so though - because some of the security / bug fixes are in modules (or in libapr.so / libaprutil.so) and not the core.

Third party modules should march happily on without being rebuilt.

An obvious exception might be modperl which provides substantial coverage of entry points, constant #defines and other aspects of the core itself. It also relies on 'expected results' from alot of edge functions which weren't widely used (and therefore subject to bug fixes - e.g. behavior changes.) While not 100% necessary, it is certainly a good idea to rebuild modperl with each point bump.