[Security Release] Apache HTTP Server 2.0.43
-BEGIN PGP SIGNED MESSAGE- Apache 1.3.27 Released The Apache Software Foundation and The Apache Server Project are pleased to announce the release of version 1.3.27 of the Apache HTTP Server. This Announcement notes the significant changes in 1.3.27 as compared to 1.3.26. This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 1.3.27 addresses and fixes 3 security vulnerabilities. CAN-2002-0839 (cve.mitre.org)[1]: A vulnerability exists in all versions of Apache prior to 1.3.27 on platforms using System V shared memory based scoreboards. This vulnerability allows an attacker who can execute under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial of service attack. We thank iDefense for their responsible notification and disclosure of this issue. CAN-2002-0840 (cve.mitre.org)[2]: Apache is susceptible to a cross site scripting vulnerability in the default 404 page of any web server hosted on a domain that allows wildcard DNS lookups. We thank Matthew Murphy for notification of this issue. CAN-2002-0843 (cve.mitre.org)[3]: There were some possible overflows in ab.c which could be exploited by a malicious server. Note that this vulnerability is not in Apache itself, but rather one of the support programs bundled with Apache. We thank David Wagner for the responsible notification and disclosure of this issue. We consider Apache 1.3.27 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family. Apache 1.3.27 is available for download from http://www.apache.org/dist/httpd/ Please see the CHANGES_1.3 file in the same directory for a full list of changes. Binary distributions are available from http://www.apache.org/dist/httpd/binaries/ The source and binary distributions are also available via any of the mirrors listed at http://www.apache.org/mirrors/ As of Apache 1.3.12 binary distributions contain all standard Apache modules as shared objects (if supported by the platform) and include full source code. Installation is easily done by executing the included install script. See the README.bindist and INSTALL.bindist files for a complete explanation. Please note that the binary distributions are only provided for your convenience and current distributions for specific platforms are not always available. Win32 binary distributions are based on the Microsoft Installer (.MSI) technology. While development continues to make this installation method more robust, questions should be directed to the news:comp.infosystems.www.servers.ms-windows newsgroup. For an overview of new features introduced after 1.2 please see http://httpd.apache.org/docs/new_features_1_3.html In general, Apache 1.3 offers several substantial improvements over version 1.2, including better performance, reliability and a wider range of supported platforms, including Windows NT and 2000 (which fall under the "Win32" label), OS2, Netware, and TPE threaded platforms. IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS variants. While the ports to non-Unix platforms (such as Win32, Netware or OS2) are of an acceptable quality, Apache 1.3 is not optimized for these platforms. Security, stability, or performance issues on these non-Unix ports do not generally apply to the Unix version, due to software's Unix origin. Apache 2.0 has been structured for multiple operating systems from its inception, by introducing the Apache Portability Library and MPM modules. Users on non-Unix platforms are strongly encouraged to move up to Apache 2.0 for better performance, stability and security on their platforms. Apache is the most popular web server in the known universe; over half of the servers on the Internet are running Apache or one of its variants. Apache 1.3.27 Major changes Security vulnerabilities * Fix the security vulnerability noted in CAN-2002-0839 (cve.mitre.org) regarding ownership permissions of System V shared memory based scoreboards. The fix resulted in the new ShmemUIDisUser directive. * Fix the security vulnerability noted in CAN-2002-0840 (cvs.mitre.org) regarding a cross-site scripting vulnerability in the default error page when using wildcard DNS. * Fix the security vulnerability noted in CAN-2002-0843 (cve.mitre.org) regarding some possible overflows in ab.c which could be exploited by a
[ANNOUNCE] Apache 2.0.45 Released
Apache 2.0.45 Released The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the eighth public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.45 as compared to 2.0.44. OS2 users; note that Apache 2.0 versions *including* 2.0.45 still have a Denial of Service vulnerability that was identified and reported by Robert Howard <[EMAIL PROTECTED]> that will fixed with the release of 2.0.46, but is too important to delay announcement today. The patch http://cvs.apache.org/viewcvs/apr/file_io/os2/filestat.c.diff?r1=1.34&r2=1.35 must be applied before building on OS2. This patch will already be applied to all OS2 binaries released for Apache 2.0.45. [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0134] This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.45 addresses two security vulnerabilities, both affecting all platforms. Prior Apache 2.0 versions through 2.0.44 had a significant Denial of Service vulnerability that was identified and reported by David Endler <[EMAIL PROTECTED]>, and fixed with this release. The specific details of this issue will be published by David Endler one week from this release, on April 7th. No more specific information is disclosed at this time, but all Apache 2.0 users are encouraged to upgrade now. [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132] This release eliminated leaks of several file descriptors to child processes, such as CGI scripts, which could consitute a security threat on servers that run untrusted CGI scripts. This issue was identified, reported and addressed by Christian Kratzer <[EMAIL PROTECTED]> and Bjoern A. Zeeb <[EMAIL PROTECTED]>. The Apache Software Foundation would like to thank David Endler, Christian Kratzer, Bjoern Zeeb and Robert Howard for the responsible reporting of these issues. Apache 2.0.42 and later releases mark a change in the Apache release process, and a new level of stability in the 2.0 series. With the release of Apache 2.0.42, we will make every effort to retain forward compatibility so that upgrading along the 2.0 series should be much easier. This compatibility extends from Apache release 2.0.42, so users of that version or later should be able to upgrade without changing configurations or updating DSO modules. (Users of earlier releases will need to recompile all modules in order to upgrade to 2.0.42 or later versions.) We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade. Apache 2.0.45 source code is available for download from http://www.apache.org/dist/httpd/ Apache 2.0.45 binary releases will become available for download from http://www.apache.org/dist/httpd/binaries/ Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see http://httpd.apache.org/docs-2.0/new_features_2_0.html When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information. Apache 2.0.45 Major changes Security vulnerabilities closed since Apache 2.0.44 *) SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability identified by David Endler <[EMAIL PROTECTED]> on all platforms. Details embargoed until their announcement on 7 April 2003. *) SECURITY: Eliminated leaks of several file descriptors to child processes, such as CGI scripts. This fix depends on the latest APR library release 0.9.2, which is distributed with the httpd source tarball for Apache 2.0.45. PR 17206 Bugs fixed and features added since Apache 2.0.44 *) Prevent endless loops of internal redirects in mod_rewrite by aborting after exceeding a limit of internal redirects. The limit defaults to 10 and can be changed using the RewriteOptions directive. PR 17462. *) Configurable compression level for mod_deflate. *) Allow SSLMutex to select/use the full range of APR locking mechanisms available to it (e.g. same choices as AcceptMutex.) *) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot be started on Unix because of such problems as bad permissions, bad shebang line, etc. *) Try to log an error if a piped log program fails and try to restart a piped log program in more failure situations. *) Added support for mod_auth_LDAP, with a new AuthLDAPCharsetConfig directive, to convert extended c
[Announce] Apache HTTP Server 2.0.55 Released
Apache HTTP Server 2.0.55 Released The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.0.55 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.55 as compared to 2.0.55. This Announcement2.0 document may also be available in multiple langages at: http://www.apache.org/dist/httpd/ This version of Apache is principally a security release. The following potential security flaws are addressed, the first three of which address several classes of HTTP Request and Response Splitting/Spoofing attacks; CAN-2005-2088 (cve.mitre.org) core: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length. proxy_http: Correctly handle the Transfer-Encoding and Content-Length request headers. Discard the request Content-Length whenever chunked T-E is used, always passing one of either C-L or T-E chunked whenever the request includes a request body. Unassigned proxy_http: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection. CAN-2005-2700 (cve.mitre.org) mod_ssl: Fix a security issue where "SSLVerifyClient" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the vhost configuration. CAN-2005-2491 (cve.mitre.org) pcre: Fix integer overflows in PCRE in quantifier parsing which could be triggered by a local user through use of a carefully crafted regex in an .htaccess file. CAN-2005-2728 (cve.mitre.org) Fix cases where the byterange filter would buffer responses into memory. CAN-2005-1268 (cve.mitre.org) mod_ssl: Fix off-by-one overflow whilst printing CRL information at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL. The Apache HTTP Project thanks all of the reporters of these issues and vulnerabilities for the responsible reporting and thorough analysis of these vulnerabilities. This release further addresses a number of cross-platform bugs, as well as specific issues on OS/X 10.4, Win32, AIX as well as all EBCDIC platforms, and adds compatibility with OpenSSL 0.9.8. This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade. This release includes the Apache Portable Runtime library suite release version 0.9.7, bundled with the tar and zip distributions. These libraries; libapr, libaprutil, and on Win32, libapriconv must all be updated to ensure binary compatibility and address many known platform bugs. Apache HTTP Server 2.0.55 is available for download from http://httpd.apache.org/download.cgi Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. A condensed list, CHANGES_2.0.55 provides the complete list of changes since 2.0.54, including changes to the APR suite of libraries. Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see http://httpd.apache.org/docs/2.0/new_features_2_0.html When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please refer to the documentation of these modules and libraries to obtain this information.
[Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released
Apache HTTP Server 2.2.3 Released The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 2.2.3 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed; CVE-2006-3747: An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0. Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team. This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics: * The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1) * The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE). Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally. The Apache HTTP Server project recommends that all users who have built Apache from source apply the patch or upgrade to the latest level and rebuild. Providers of Apache-based web servers in pre-compiled form will be able to determine if this vulnerability applies to their builds. That determination has no bearing on any other builds of Apache HTTP Server, and Apache HTTP Server users are urged to exercise caution and apply patches or upgrade unless they have specific instructions from the provider of their web server. Statements from vendors can be obtained from the US-CERT vulnerability note for this issue at: http://www.kb.cert.org/vuls/id/395412 The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.3 is available for download from: http://httpd.apache.org/download.cgi Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see: http://httpd.apache.org/docs/2.2/new_features_2_2.html Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available with this security fix. See the appropriate CHANGES from the url above. The Apache HTTP Project developers strongly encourage all users to migrate to Apache 2.2, as only limited maintenance is performed on these legacy versions. This release includes the Apache Portable Runtime (APR) version 1.2.7 bundled with the tar and zip distributions. The APR libraries libapr, libaprutil, and (on Win32) libapriconv must all be updated to ensure binary compatibility and address many known platform bugs. This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, but no substantial reworking should be necessary. http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs, you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
[Announce] New (relocated) modules-dev@httpd.apache.org list
Following a vote on dev@httpd.apache.org, and with input from the project participants on the [EMAIL PROTECTED] Authors' discussion list, the httpd project is pleased to announce the creation of a new modules-dev list at httpd.apache.org. Current subscribers to the apache-modules list will not be automatically moved, but are encouraged to subscribe themselves. This mailing list is for people who are actually involved in writing third-party or private modules for the Apache HTTP server. It is a peer support list for programmers to discuss issues surrounding the development of web server modules using the Apache HTTP Server module and APR APIs. This community was historically hosted at [EMAIL PROTECTED], and those posts are still archived on MARC, should continue to be available for perusing. Details are available here; http://httpd.apache.org/lists.html#modules-dev and you can subscribe immediately by sending a blank email to; [EMAIL PROTECTED] The prior apache-modules list will be closed in three days time, and we hope to see all of the current participants at modules-dev!
[Announce] Apache HTTP Server 2.2.4 Released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Apache HTTP Server 2.2.4 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.4 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bugfix release. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.4 is available for download from: http://httpd.apache.org/download.cgi Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see: http://httpd.apache.org/docs/2.2/new_features_2_2.html Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A summary of security vulnerabilities which were addressed in the previous 2.2.3 and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also currently available. See the appropriate CHANGES from the url above. See the corresponding CHANGES files linked from the download page. The Apache HTTP Project developers strongly encourage all users to migrate to Apache 2.2, as only limited maintenance is performed on these legacy versions. This release includes the Apache Portable Runtime (APR) version 1.2.8 bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv) must all be updated to ensure binary compatibility and address many known platform bugs. This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, and require minimal or no source code changes. http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBRaVE1fcTqHkQ/eB1AQJ9DAf9ErtsgzDpARyZfptJVGShxvyq894X0lKd B0x/A8Zxo4Mh0bh2t6gS0TzfSwirMKuziqy823fgrkERJ843W86YPZCYw4pVB+RE P52JbZi7ri6nG30gKzSZWj03dHa/7bTeEv1YUNy7SbgnmEyYEVI98yMEqEMpLnIE Sk/cnwhVyuEGnojzhlHPNFlSEy0fbz187zOzuZkxyh7xuqJ/OBsNTIYYcJeQMOSe Ly1HOcoRA36fVn3CmfpyCheY7HLFpxMBF86PZxfLlMdyyPd3W+ltIPK0bCWgSM0Y 7YJpGauTgb4FK4tluM5RuLC4e3QvTzljES3gNDJAdvtPCHPUCcVsSg== =U0NI -END PGP SIGNATURE-
Apache Portable Runtime 1.2.12 Released
Apache Portable Runtime 1.2.12 Released The Apache Software Foundation and the Apache Portable Runtime Project are proud to announce the General Availability of version 1.2.12 of the APR Apache Portable Runtime library. The Project further announces the General Availability of APR-util version 1.2.12, the companion Apache Portable Utility library, and APR-iconv version 1.2.1, an alternative portable implementation of the 'iconv' library. In conjunction with this release, the project also announces the General Availability of legacy version 0.9.17 release of the older APR 0.x library. Corresponding versions of its companion libraries APR-util version 0.9.15 and APR-iconv version 0.9.7 remain current. APR is available for download from: http://apr.apache.org/download.cgi This version of APR is principally a bug fix release, including fixes for specific platforms' configuration, feature detection, and run time behavior. Most developers are encouraged to adopt the latest APR 1.x version to ensure the most comprehensive support and access to the latest features and enhancements. The mission of the Apache Portable Runtime Project is to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The primary goal is to provide an API to which software developers may code and be assured of predictable if not identical behavior regardless of the platform on which their software is built, relieving them of the need to code special-case conditions to work around or take advantage of platform-specific deficiencies or features. APR and its companion libraries are implemented entirely in C and provide a common programming interface across a wide variety of operating system platforms without sacrificing performance. Currently supported platforms include: UNIX variants Windows Netware Mac OS X OS/2 To give a brief overview, the primary core subsystems of APR 1.2 include the following: Atomic operations Dynamic Shared Object loading File I/O Locks (mutexes, condition variables, etc) Memory management (high performance allocators) Memory-mapped files Multicast Sockets Network I/O Shared memory Thread and Process management Various data structures (tables, hashes, priority queues, etc) For a more complete list, please refer to the following URLs: http://apr.apache.org/docs/apr/modules.html http://apr.apache.org/docs/apr-util/modules.html Users of APR 0.9 should be aware that migrating to the APR 1.x programming interfaces may require some adjustments; APR 1.x is neither source nor binary compatible with earlier APR 0.9 releases. Users of APR 1.x can expect consistent interfaces and binary backwards compatibility throughout the entire APR 1.x release cycle, as defined in our versioning rules: http://apr.apache.org/versioning.html APR is already used extensively by the Apache HTTP Server version 2 and the Subversion revision control system, to name but a few. We list many known projects using APR at http://apr.apache.org/projects.html -- so please let us know if you find our libraries useful in your own projects!
[Announce] Apache HTTP Server (httpd) 2.2.15 Released
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release and immediate availability of version 2.2.15 of the Apache HTTP Server ("httpd"). This version of httpd is principally a security and bug fix release. Notably, this release was updated to reflect the OpenSSL Project's release 0.9.8m of the openssl library, and addresses CVE-2009-3555 (cve.mitre.org), the TLS renegotiation prefix injection attack. This release further addresses the issues CVE-2010-0408, CVE-2010-0425 and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers respectively. We consider this release to be the best version of httpd available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.15 is available for download from: http://httpd.apache.org/download.cgi Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.15 provides the complete list of changes since 2.2.14. A summary of security vulnerabilities which were addressed in the previous 2.2.14 and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html Apache HTTP Server 2.2.15 is compatible with Apache Portable Runtime (APR) versions 1.3 and 1.4, APR-util library version 1.3, and APR-iconv library version 1.2. The most current releases should be used to address known security and platform bugs. At the time of this httpd release, the recommended APR releases are: * Apache Portable Runtime (APR) library version 1.4.2 (bundled), or at minimum, version 1.3.12 * ARR-util library version 1.3.9 (bundled) * APR-iconv library version 1.2.1 (only bundled in win32-src.zip) Older releases of these libraries have known vulnerabilities or other defects affecting httpd. For further information and downloads, visit: http://apr.apache.org/ Apache HTTP Server 2.2 offers numerous enhancements, bug fixes, and performance enhancements over the 2.0 codebase. For an overview of new features introduced since 2.0 please see: http://httpd.apache.org/docs/2.2/new_features_2_2.html This release builds upon and extends the httpd 2.0 API. Modules written for httpd 2.0 will need to be recompiled in order to run with httpd 2.2, and may require minimal or no source code changes. When upgrading or installing this version of httpd, please bear in mind that if you intend to use httpd with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
[advisory] httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068
Vulnerability; httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068 Classification; important Description; A timeout detection flaw in the httpd mod_proxy_http module causes proxied response to be sent as the response to a different request, and potentially served to a different client, from the HTTP proxy pool worker pipeline. This may represent a confidential data revealing flaw. This affects only Netware, Windows or OS2 builds of httpd version 2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha, when the proxy worker pools have been enabled. Earlier 2.2, 2.0 and 1.3 releases were not affected. Acknowledgements; We would like to thank Loren Anderson for the thorough research and reporting of this flaw. Mitigation; Apply any one of the following mitigations to avert the possibility of confidential information disclosure. * Do not load mod_proxy_http. * Do not configure/enable any http proxy worker pools with ProxySet or ProxyPass optional arguments. * The straightforward workaround to disable mod_proxy_http's reuse of backend connection pipelines is to set the following global directive; SetEnv proxy-nokeepalive 1 * Replace mod_proxy_http.so with a patched version, for source code see http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/ or http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/ and for binaries see the http://www.apache.org/dist/httpd/binaries/ tree for win32 or netware, as appropriate. * Upgrade to Apache httpd 2.2.16 or higher, once released. There is no tentative release date scheduled. Update Released; 11th June 2010
[announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.17 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bug fix release, and a security fix release of the APR-util 1.3.10 dependency; * SECURITY: CVE-2010-1623 (cve.mitre.org) Fix a denial of service attack against apr_brigade_split_line(). * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause httpd to crash while parsing specially-crafted XML documents. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.17 is available for download from: http://httpd.apache.org/download.cgi Apache HTTP Server 2.0.64 legacy release is also currently available, with the same vulnerability correction as well as many others fixed in 2.2.16 and earlier releases. See the corresponding CHANGES files linked from the download page. The Apache HTTP Project developers strongly encourage all users to migrate to Apache 2.2, as only limited and less frequent maintenance is provided for legacy versions. Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see: http://httpd.apache.org/docs/2.2/new_features_2_2.html Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.17 provides the complete list of changes since 2.2.16. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html This release includes the Apache Portable Runtime (APR) version 1.4.2 and APR Utility Library (APR-util) version 1.3.10, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs. This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, and require minimal or no source code changes. http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
[Announce] Apache HTTP Server 2.2.18 Released
Apache HTTP Server 2.2.18 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.18 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bug fix release, and a security fix release of the APR 1.4.4 dependency; * SECURITY: CVE-2011-0419 (cve.mitre.org) apr_fnmatch flaw leads to mod_autoindex remote DoS Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a carefully crafted request may cause excessive CPU usage Upgrading to APR 1.4.4, or setting the 'IgnoreClient' option of the 'IndexOptions' directive circumvents this risk. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.18 is available for download from: http://httpd.apache.org/download.cgi Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.18 provides the complete list of changes since 2.2.17. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html This release includes the Apache Portable Runtime (APR) version 1.4.4 and APR Utility Library (APR-util) version 1.3.11, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs. Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see: http://httpd.apache.org/docs/2.2/new_features_2_2.html This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, and require minimal or no source code changes. http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
[Announce] Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11
New releases are in progress for each of these projects and are expected to be available in the coming days. The upcoming httpd 2.2.19 will bundle new releases of apr and apr-util which correct the regressions described below. An announcement of these releases will be broadcast. Note: httpd 2.2.18 bundles apr 1.4.4 and apr-util 1.3.11. Summary of regressions: httpd 2.2.18: The ap_unescape_url_keep2f() function signature was changed. This breaks binary compatibility of a number of third-party modules. In addition, a regression in apr 1.4.4 (see below) could cause httpd to hang. apr 1.4.4: A fix in apr 1.4.4 apr_fnmatch() to address CVE-2011-0419 introduced a new vulnerability. A patch is attached and should be used if httpd workers enter a hung state (100% cpu utilization) after updating to httpd 2.2.18 or apr-util 1.4.4, or if hangs are seen in other apr applications which use apr_fnmatch(). apr-util 1.3.11: A fix to LDAP support in apr-util 1.3.11 could cause crashes with httpd's mod_authnz_ldap in some situations. --- srclib\apr\strings\apr_fnmatch.orig Mon May 02 23:51:24 2011 +++ srclib\apr\strings\apr_fnmatch.cWed May 18 13:09:52 2011 @@ -196,7 +196,10 @@ const char *mismatch = NULL; int matchlen = 0; -while (*pattern) +if (*pattern == '*') +goto firstsegment; + +while (*pattern && *string) { /* Match balanced slashes, starting a new segment pattern */ @@ -207,6 +210,7 @@ ++string; } +firstsegment: /* At the beginning of each segment, validate leading period behavior. */ if ((flags & APR_FNM_PERIOD) && (*string == '.')) @@ -361,9 +365,9 @@ return APR_FNM_NOMATCH; } -/* pattern is at EOS; if string is also, declare success +/* Where both pattern and string are at EOS, declare success */ -if (!*string) +if (!*string && !*pattern) return 0; /* pattern didn't match to the end of string */
Apache HTTP Server 2.2.19 Released
Apache HTTP Server 2.2.19 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.19 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bug fix release, correcting regressions in the httpd 2.2.18 package; the use of that previous 2.2.18 package is discouraged due to these flaws: * SECURITY: CVE-2011-1928 (cve.mitre.org) A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419 introduced a new vulnerability. httpd workers enter a hung state (100% cpu utilization) after updating to APR 1.4.4. Upgrading to APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3 or prior with the 'IgnoreClient' option of the 'IndexOptions' directive will circumvent both issues. * httpd 2.2.18: The ap_unescape_url_keep2f() function signature was inadvertantly changed. This breaks binary compatibility of a number of third-party modules. This httpd-2.2.19 package restores the function signature provided by 2.2.17 and prior. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.19 is available for download from: http://httpd.apache.org/download.cgi Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.19 provides the complete list of changes since 2.2.18. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html This release includes the Apache Portable Runtime (APR) version 1.4.5 and APR Utility Library (APR-util) version 1.3.12, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs. Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see: http://httpd.apache.org/docs/2.2/new_features_2_2.html This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, and require minimal or no source code changes. http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
Apache HTTP Server 2.2.21 Released
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.21 of the Apache HTTP Server ("Apache"). This version of Apache is principally a security and bug fix release: * SECURITY: CVE-2011-3348 (cve.mitre.org) mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp: balancer members in an error state, avoiding denial of service. * SECURITY: CVE-2011-3192 (cve.mitre.org) core: Further fixes to the handling of byte-range requests to use less memory, to avoid denial of service. This patch includes fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive. Note the further advisories on the state of CVE-2011-3192 will no longer be broadcast, but will be kept up to date at; http://httpd.apache.org/security/CVE-2011-3192.txt We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.21 is available for download from: http://httpd.apache.org/download.cgi Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.21 provides the complete list of changes since 2.2.19. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html This release includes the Apache Portable Runtime (APR) version 1.4.5 and APR Utility Library (APR-util) version 1.3.12, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs. Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see: http://httpd.apache.org/docs/2.2/new_features_2_2.html This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, and require minimal or no source code changes. http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
Apache HTTP Server 2.2.22 Released
Apache HTTP Server 2.2.22 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.22 of the Apache HTTP Server ("Apache"). This version of Apache is principally a security and bug fix release, including the following significant security fixes: * SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations. * SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. * SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations. * SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17. * SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly. * SECURITY: CVE-2012-0053 (cve.mitre.org) Fixed an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. The Apache HTTP Project thanks halfdog, Context Information Security Ltd, Prutha Parikh of Qualys, and Norman Hippert for bringing these issues to the attention of the security team. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.22 is available for download from: http://httpd.apache.org/download.cgi Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.22 includes only those changes introduced since the prior 2.2 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html This release includes the Apache Portable Runtime (APR) version 1.4.5 and APR Utility Library (APR-util) version 1.4.2, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs. APR-util version 1.4 represents a minor version upgrade from earlier httpd source distributions, which previously included version 1.3. Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase. For an overview of new features introduced since 2.0 please see: http://httpd.apache.org/docs/2.2/new_features_2_2.html This release builds on and extends the Apache 2.0 API. Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, and require minimal or no source code changes. http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
Apache HTTP Server 2.2.24 Released
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.24 of the Apache HTTP Server ("Apache"). This version of Apache is principally a security and bug fix maintenance release, including the following significant security fixes: * SECURITY: CVE-2012-3499 (cve.mitre.org) Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. * SECURITY: CVE-2012-4558 (cve.mitre.org) XSS in mod_proxy_balancer manager interface. We consider the Apache HTTP Server 2.4.4 release to be the best version of Apache available, and encourage users of 2.2 and all prior versions to upgrade. This 2.2 maintenance release is offered for those unable to do so at this time. For further details, see http://www.apache.org/dist/httpd/Announcement2.4.txt Apache HTTP Server 2.4.4 and 2.2.24 are available for download from: http://httpd.apache.org/download.cgi Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.24 includes only those changes introduced since the prior 2.2 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html This release includes the Apache Portable Runtime (APR) version 1.4.6 and APR Utility Library (APR-util) version 1.4.1, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs. APR-util version 1.4 represents a minor version upgrade from earlier httpd source distributions, which previously included version 1.3. This release builds on and extends the Apache 2.0 API and is superceeded by the Apache 2.4 API. Modules written for Apache 2.0 or 2.4 will need to be recompiled in order to run with Apache 2.2, and most will require minimal or no source code changes. When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
[Announcment] Apache HTTP Server 2.2.27 Released
Apache HTTP Server 2.2.27 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.27 of the Apache HTTP Server ("Apache"). This version of Apache is principally a security and bug fix maintenance release. CVE-2014-0098 (cve.mitre.org) Segfaults with truncated cookie logging. mod_log_config: Prevent segfaults when logging truncated cookies. Clean up the cookie logging parser to recognize only the cookie=value pairs, not valueless cookies. CVE-2013-6438 (cve.mitre.org) mod_dav: Keep track of length of cdata properly when removing leading spaces. Eliminates a potential denial of service from specifically crafted DAV WRITE requests We consider the Apache HTTP Server 2.4 release to be the best version of Apache available, and encourage users of 2.2 and all prior versions to upgrade. This 2.2 maintenance release is offered for those unable to upgrade at this time. For further details, see: http://www.apache.org/dist/httpd/Announcement2.4.txt Apache HTTP Server 2.4 and 2.2.27 are available for download from: http://httpd.apache.org/download.cgi Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.27 includes only those changes introduced since the prior 2.2 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html This release includes the Apache Portable Runtime (APR) version 1.5.0 and APR Utility Library (APR-util) version 1.5.3, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs. APR version 1.5 and APR-util version 1.5 represent minor version upgrades from earlier httpd 2.2 source distributions. This release builds on and extends the Apache 2.0 API and is superceeded by the Apache 2.4 API. Modules written for Apache 2.0 or 2.4 will need to be recompiled in order to run with Apache 2.2, and most will require minimal or no source code changes. When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
[Announce] Apache HTTP Server 2.2.29 Released
Apache HTTP Server 2.2.29 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.29 of the Apache HTTP Server ("Apache"). (Note that 2.2.28 was not released). This version of Apache is principally a security and bug fix maintenance release, and addresses these specific security defects as well as other fixes; CVE-2014-0118 (cve.mitre.org) mod_deflate: The DEFLATE input filter (inflates request bodies) now limits the length and compression ratio of inflated request bodies to avoid denial of sevice via highly compressed bodies. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst. CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. By default, the client I/O timeout (Timeout directive) now applies to communication with scripts. The CGIDScriptTimeout directive can be used to set a different timeout for communication with scripts. CVE-2014-0226 (cve.mitre.org) Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow. CVE-2013-5704 (cve.mitre.org) HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds "MergeTrailers" directive to restore this legacy behavior. We consider the Apache HTTP Server 2.4 release to be the best version of Apache available, and encourage users of 2.2 and all prior versions to upgrade. This 2.2 maintenance release is offered for those unable to upgrade at this time. For further details, see: http://www.apache.org/dist/httpd/Announcement2.4.txt Apache HTTP Server 2.4 and 2.2.29 are available for download from: http://httpd.apache.org/download.cgi Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.29 includes only those changes introduced since the prior 2.2 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html This release includes the Apache Portable Runtime (APR) version 1.5.1 and APR Utility Library (APR-util) version 1.5.3, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs. APR version 1.5 and APR-util version 1.5 represent minor version upgrades from earlier httpd 2.2 source distributions. This release builds on and extends the Apache 2.0 API and is superceeded by the Apache 2.4 API. Modules written for Apache 2.0 or 2.4 will need to be recompiled in order to run with Apache 2.2, and most will require minimal or no source code changes. When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.
[Announcement] Apache HTTP Server 2.2.34 Released
July 11, 2017 The Apache Software Foundation and the Apache HTTP Server Project announce the release of version 2.2.34 of the Apache HTTP Server ("Apache"), the final maintenance release of the 2.2 series. No further 2.2 releases are anticipated. This version of Apache is principally a security and bug fix maintenance release. We consider the current Apache HTTP Server 2.4 release to be the best version of Apache available, and encourage every user of 2.2 and all prior versions to upgrade. This final 2.2 release is offered for those unable to upgrade at this moment. Take note that Apache Web Server Project will provide no future release of the 2.2.x series, although some security patches may be published through December of 2017. These will be collected at the URL; http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/ No further maintenance patches of 2.2.x will be published. Users are strongly encouraged to promptly complete their transitions to the 2.4.x flavor of httpd to receive any future benefit from the user community or the Apache HTTP Server project developers. For further details about the currently supported release, see: http://www.apache.org/dist/httpd/Announcement2.4.txt Apache HTTP Server 2.4 and 2.2.34 are available for download from: http://httpd.apache.org/download.cgi Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.2.34 includes only those changes introduced since the prior 2.2 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_22.html Note that the Apache HTTP Server project will discontinue evaluations and corresponding advisories to this resource effective January, 2018. This release includes the Apache Portable Runtime (APR) version 1.5.2 and APR Utility Library (APR-util) version 1.5.4, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs. APR version 1.5 and APR-util version 1.5 represent minor version upgrades from earlier httpd 2.2 source distributions. Note this package also includes very stale and known-vulnerable versions of the Expat [http://expat.sourceforge.net/] and PCRE [http://www.pcre.org/] packages. Users are strongly encouraged to first install the most recent versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.) This release builds on and extends the Apache 2.0 API and is superceeded by the Apache 2.4 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.4, and most will require minimal or no source code changes.
CVE-2017-9789: Apache httpd 2.4 Read after free in mod_http2
CVE-2017-9789: Read after free in mod_http2.c Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.26 Description: When under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour. Mitigation: 2.4.26 users of mod_http2 should upgrade to 2.4.27. Credit: The Apache HTTP Server security team would like to thank Robert Święcki for reporting this issue. References: https://httpd.apache.org/security_report.html
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest Severity: Important Vendor: The Apache Software Foundation Versions Affected: all versions through 2.2.33 and 2.4.26 Description: The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault Mitigation: All users of httpd should upgrade to 2.4.27 (or minimally 2.2.34, which will receive no further security releases.) Alternately, the administrator could configure httpd to reject requests with a header matching a complex regular expression identifing where = character does not occur in the first key=value pair, as in the following syntax; [Proxy-]Authorization: Digest key[,key=value] Credit: The Apache HTTP Server security team would like to thank Robert Święcki for reporting this issue. References: https://httpd.apache.org/security_report.html
[Announcement] Apache HTTP Server 2.4.28 Released
Apache HTTP Server 2.4.28 Released October 5, 2017 The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.28 of the Apache HTTP Server ("Apache"). This version of Apache is our latest GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This release of Apache is a security, feature, and bug fix release. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.4.28 is available for download from: http://httpd.apache.org/download.cgi Apache 2.4 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.4 please see: http://httpd.apache.org/docs/trunk/new_features_2_4.html Please see the CHANGES_2.4 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.4.28 includes only those changes introduced since the prior 2.4 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_24.html Of particular note in this release is 1 SECURITY item: o SECURITY: CVE-2017-9798 (cve.mitre.org) Corrupted or freed memory access. or the RegisterHttpMethod directive must be given in the startup configuration (httpd.conf) to register non-standard HTTP methods before listing them in an .htaccess files. This release requires the Apache Portable Runtime (APR), minimum version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may require the 1.6.x version of both APR and APR-Util. The APR libraries must be upgraded for all features of httpd to operate correctly. This release builds on and extends the Apache 2.2 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.4, and require minimal or no source code changes. http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe. Please note that while the Apache HTTP Server Project may publish some security patches to the 2.2.x flavor through at least December of 2017, no further maintenance patches of 2.2.x will be considered and no further releases will be distributed. The 2.2.x branch has now reached the end of its maintenance, and users are strongly encouraged to promptly complete their transitions to this 2.4.x flavor of httpd to benefit from security and bug fixes, as well as new features.