[Security Release] Apache HTTP Server 2.0.43
-BEGIN PGP SIGNED MESSAGE- Apache 1.3.27 Released The Apache Software Foundation and The Apache Server Project are pleased to announce the release of version 1.3.27 of the Apache HTTP Server. This Announcement notes the significant changes in 1.3.27 as compared to 1.3.26. This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 1.3.27 addresses and fixes 3 security vulnerabilities. CAN-2002-0839 (cve.mitre.org)[1]: A vulnerability exists in all versions of Apache prior to 1.3.27 on platforms using System V shared memory based scoreboards. This vulnerability allows an attacker who can execute under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial of service attack. We thank iDefense for their responsible notification and disclosure of this issue. CAN-2002-0840 (cve.mitre.org)[2]: Apache is susceptible to a cross site scripting vulnerability in the default 404 page of any web server hosted on a domain that allows wildcard DNS lookups. We thank Matthew Murphy for notification of this issue. CAN-2002-0843 (cve.mitre.org)[3]: There were some possible overflows in ab.c which could be exploited by a malicious server. Note that this vulnerability is not in Apache itself, but rather one of the support programs bundled with Apache. We thank David Wagner for the responsible notification and disclosure of this issue. We consider Apache 1.3.27 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family. Apache 1.3.27 is available for download from http://www.apache.org/dist/httpd/ Please see the CHANGES_1.3 file in the same directory for a full list of changes. Binary distributions are available from http://www.apache.org/dist/httpd/binaries/ The source and binary distributions are also available via any of the mirrors listed at http://www.apache.org/mirrors/ As of Apache 1.3.12 binary distributions contain all standard Apache modules as shared objects (if supported by the platform) and include full source code. Installation is easily done by executing the included install script. See the README.bindist and INSTALL.bindist files for a complete explanation. Please note that the binary distributions are only provided for your convenience and current distributions for specific platforms are not always available. Win32 binary distributions are based on the Microsoft Installer (.MSI) technology. While development continues to make this installation method more robust, questions should be directed to the news:comp.infosystems.www.servers.ms-windows newsgroup. For an overview of new features introduced after 1.2 please see http://httpd.apache.org/docs/new_features_1_3.html In general, Apache 1.3 offers several substantial improvements over version 1.2, including better performance, reliability and a wider range of supported platforms, including Windows NT and 2000 (which fall under the "Win32" label), OS2, Netware, and TPE threaded platforms. IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS variants. While the ports to non-Unix platforms (such as Win32, Netware or OS2) are of an acceptable quality, Apache 1.3 is not optimized for these platforms. Security, stability, or performance issues on these non-Unix ports do not generally apply to the Unix version, due to software's Unix origin. Apache 2.0 has been structured for multiple operating systems from its inception, by introducing the Apache Portability Library and MPM modules. Users on non-Unix platforms are strongly encouraged to move up to Apache 2.0 for better performance, stability and security on their platforms. Apache is the most popular web server in the known universe; over half of the servers on the Internet are running Apache or one of its variants. Apache 1.3.27 Major changes Security vulnerabilities * Fix the security vulnerability noted in CAN-2002-0839 (cve.mitre.org) regarding ownership permissions of System V shared memory based scoreboards. The fix resulted in the new ShmemUIDisUser directive. * Fix the security vulnerability noted in CAN-2002-0840 (cvs.mitre.org) regarding a cross-site scripting vulnerability in the default error page when using wildcard DNS. * Fix the security vulnerability noted in CAN-2002-0843 (cve.mitre.org) regarding some possible overflows in ab.c which could be exploited by a
[ANNOUNCE] Apache 2.0.45 Released
Apache 2.0.45 Released The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the eighth public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.45 as compared to 2.0.44. OS2 users; note that Apache 2.0 versions *including* 2.0.45 still have a Denial of Service vulnerability that was identified and reported by Robert Howard <[EMAIL PROTECTED]> that will fixed with the release of 2.0.46, but is too important to delay announcement today. The patch http://cvs.apache.org/viewcvs/apr/file_io/os2/filestat.c.diff?r1=1.34&r2=1.35 must be applied before building on OS2. This patch will already be applied to all OS2 binaries released for Apache 2.0.45. [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0134] This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.45 addresses two security vulnerabilities, both affecting all platforms. Prior Apache 2.0 versions through 2.0.44 had a significant Denial of Service vulnerability that was identified and reported by David Endler <[EMAIL PROTECTED]>, and fixed with this release. The specific details of this issue will be published by David Endler one week from this release, on April 7th. No more specific information is disclosed at this time, but all Apache 2.0 users are encouraged to upgrade now. [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132] This release eliminated leaks of several file descriptors to child processes, such as CGI scripts, which could consitute a security threat on servers that run untrusted CGI scripts. This issue was identified, reported and addressed by Christian Kratzer <[EMAIL PROTECTED]> and Bjoern A. Zeeb <[EMAIL PROTECTED]>. The Apache Software Foundation would like to thank David Endler, Christian Kratzer, Bjoern Zeeb and Robert Howard for the responsible reporting of these issues. Apache 2.0.42 and later releases mark a change in the Apache release process, and a new level of stability in the 2.0 series. With the release of Apache 2.0.42, we will make every effort to retain forward compatibility so that upgrading along the 2.0 series should be much easier. This compatibility extends from Apache release 2.0.42, so users of that version or later should be able to upgrade without changing configurations or updating DSO modules. (Users of earlier releases will need to recompile all modules in order to upgrade to 2.0.42 or later versions.) We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade. Apache 2.0.45 source code is available for download from http://www.apache.org/dist/httpd/ Apache 2.0.45 binary releases will become available for download from http://www.apache.org/dist/httpd/binaries/ Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see http://httpd.apache.org/docs-2.0/new_features_2_0.html When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information. Apache 2.0.45 Major changes Security vulnerabilities closed since Apache 2.0.44 *) SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability identified by David Endler <[EMAIL PROTECTED]> on all platforms. Details embargoed until their announcement on 7 April 2003. *) SECURITY: Eliminated leaks of several file descriptors to child processes, such as CGI scripts. This fix depends on the latest APR library release 0.9.2, which is distributed with the httpd source tarball for Apache 2.0.45. PR 17206 Bugs fixed and features added since Apache 2.0.44 *) Prevent endless loops of internal redirects in mod_rewrite by aborting after exceeding a limit of internal redirects. The limit defaults to 10 and can be changed using the RewriteOptions directive. PR 17462. *) Configurable compression level for mod_deflate. *) Allow SSLMutex to select/use the full range of APR locking mechanisms available to it (e.g. same choices as AcceptMutex.) *) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot be started on Unix because of such problems as bad permissions, bad shebang line, etc. *) Try to log an error if a piped log program fails and try to restart a piped log program in more failure situations. *) Added support for mod_auth_LDAP, with a new AuthLDAPCharsetConfig directive, to convert extended c
[Announce] Apache HTTP Server 2.0.55 Released
Apache HTTP Server 2.0.55 Released
The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.0.55 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
in 2.0.55 as compared to 2.0.55. This Announcement2.0 document may
also be available in multiple langages at:
http://www.apache.org/dist/httpd/
This version of Apache is principally a security release. The
following potential security flaws are addressed, the first three
of which address several classes of HTTP Request and Response
Splitting/Spoofing attacks;
CAN-2005-2088 (cve.mitre.org)
core: If a request contains both Transfer-Encoding and Content-Length
headers, remove the Content-Length.
proxy_http: Correctly handle the Transfer-Encoding and Content-Length
request headers. Discard the request Content-Length whenever chunked
T-E is used, always passing one of either C-L or T-E chunked whenever
the request includes a request body.
Unassigned
proxy_http: If a response contains both Transfer-Encoding and a
Content-Length, remove the Content-Length and don't reuse the
connection.
CAN-2005-2700 (cve.mitre.org)
mod_ssl: Fix a security issue where "SSLVerifyClient" was not
enforced in per-location context if "SSLVerifyClient optional"
was configured in the vhost configuration.
CAN-2005-2491 (cve.mitre.org)
pcre: Fix integer overflows in PCRE in quantifier parsing which
could be triggered by a local user through use of a carefully
crafted regex in an .htaccess file.
CAN-2005-2728 (cve.mitre.org)
Fix cases where the byterange filter would buffer responses
into memory.
CAN-2005-1268 (cve.mitre.org)
mod_ssl: Fix off-by-one overflow whilst printing CRL information
at "LogLevel debug" which could be triggered if configured
to use a "malicious" CRL.
The Apache HTTP Project thanks all of the reporters of these
issues and vulnerabilities for the responsible reporting and
thorough analysis of these vulnerabilities.
This release further addresses a number of cross-platform bugs,
as well as specific issues on OS/X 10.4, Win32, AIX as well as
all EBCDIC platforms, and adds compatibility with OpenSSL 0.9.8.
This release is compatible with modules compiled for 2.0.42 and
later versions. We consider this release to be the best version
of Apache available and encourage users of all prior versions to
upgrade.
This release includes the Apache Portable Runtime library suite
release version 0.9.7, bundled with the tar and zip distributions.
These libraries; libapr, libaprutil, and on Win32, libapriconv must
all be updated to ensure binary compatibility and address many
known platform bugs.
Apache HTTP Server 2.0.55 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes. A condensed list, CHANGES_2.0.55 provides
the complete list of changes since 2.0.54, including changes to
the APR suite of libraries.
Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see
http://httpd.apache.org/docs/2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
in mind the following: If you intend to use Apache with one of the
threaded MPMs, you must ensure that the modules (and the libraries
they depend on) that you will be using are thread-safe. Please
refer to the documentation of these modules and libraries to obtain
this information.
[Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released
Apache HTTP Server 2.2.3 Released
The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.2.3 of the Apache HTTP Server
("Apache").
This version of Apache is principally a bug and security fix release. The
following potential security flaws are addressed;
CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
and 2.2 since 2.2.0.
Depending on the manner in which Apache HTTP Server was compiled, this
software defect may result in a vulnerability which, in combination with
certain types of Rewrite rules in the web server configuration files,
could be triggered remotely. For vulnerable builds, the nature of the
vulnerability can be denial of service (crashing of web server processes)
or potentially allow arbitrary code execution. This issue has been rated
as having important security impact by the Apache HTTP Server Security
Team.
This flaw does not affect a default installation of Apache HTTP Server.
Users who do not use, or have not enabled, the Rewrite module mod_rewrite
are not affected by this issue. This issue only affects installations
using a Rewrite rule with the following characteristics:
* The RewriteRule allows the attacker to control the initial part of the
rewritten URL (for example if the substitution URL starts with $1)
* The RewriteRule flags do NOT include any of the following flags:
Forbidden (F), Gone (G), or NoEscape (NE).
Please note that ability to exploit this issue is dependent on the stack
layout for a particular compiled version of mod_rewrite. If the compiler
used to compile Apache HTTP Server has added padding to the stack
immediately after the buffer being overwritten, it will not be possible to
exploit this issue, and Apache HTTP Server will continue operating
normally.
The Apache HTTP Server project recommends that all users who have built
Apache from source apply the patch or upgrade to the latest level and
rebuild. Providers of Apache-based web servers in pre-compiled form will
be able to determine if this vulnerability applies to their builds. That
determination has no bearing on any other builds of Apache HTTP Server,
and Apache HTTP Server users are urged to exercise caution and apply
patches or upgrade unless they have specific instructions from the
provider of their web server. Statements from vendors can be obtained from
the US-CERT vulnerability note for this issue at:
http://www.kb.cert.org/vuls/id/395412
The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for
the responsible reporting of this vulnerability.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.3 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features introduced
since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for a full
list of changes.
Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available
with this security fix. See the appropriate CHANGES from the url above.
The Apache HTTP Project developers strongly encourage all users to
migrate to Apache 2.2, as only limited maintenance is performed on these
legacy versions.
This release includes the Apache Portable Runtime (APR) version 1.2.7
bundled with the tar and zip distributions. The APR libraries libapr,
libaprutil, and (on Win32) libapriconv must all be updated to ensure
binary compatibility and address many known platform bugs.
This release builds on and extends the Apache 2.0 API. Modules written for
Apache 2.0 will need to be recompiled in order to run with Apache 2.2, but
no substantial reworking should be necessary.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs, you must
ensure that any modules you will be using (and the libraries they depend
on) are thread-safe.
[Announce] New (relocated) modules-dev@httpd.apache.org list
Following a vote on dev@httpd.apache.org, and with input from the project participants on the [EMAIL PROTECTED] Authors' discussion list, the httpd project is pleased to announce the creation of a new modules-dev list at httpd.apache.org. Current subscribers to the apache-modules list will not be automatically moved, but are encouraged to subscribe themselves. This mailing list is for people who are actually involved in writing third-party or private modules for the Apache HTTP server. It is a peer support list for programmers to discuss issues surrounding the development of web server modules using the Apache HTTP Server module and APR APIs. This community was historically hosted at [EMAIL PROTECTED], and those posts are still archived on MARC, should continue to be available for perusing. Details are available here; http://httpd.apache.org/lists.html#modules-dev and you can subscribe immediately by sending a blank email to; [EMAIL PROTECTED] The prior apache-modules list will be closed in three days time, and we hope to see all of the current participants at modules-dev!
[Announce] Apache HTTP Server 2.2.4 Released
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Apache HTTP Server 2.2.4 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.4 of the Apache HTTP Server
("Apache"). This version of Apache is principally a bugfix release.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.4 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features introduced
since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for
a full list of changes. A summary of security vulnerabilities which
were addressed in the previous 2.2.3 and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also currently
available. See the appropriate CHANGES from the url above. See the
corresponding CHANGES files linked from the download page. The Apache
HTTP Project developers strongly encourage all users to migrate to
Apache 2.2, as only limited maintenance is performed on these legacy
versions.
This release includes the Apache Portable Runtime (APR) version 1.2.8
bundled with the tar and zip distributions. The APR libraries libapr
and libaprutil (and on Win32, libapriconv) must all be updated to ensure
binary compatibility and address many known platform bugs.
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache 2.2,
and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be using
(and the libraries they depend on) are thread-safe.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRaVE1fcTqHkQ/eB1AQJ9DAf9ErtsgzDpARyZfptJVGShxvyq894X0lKd
B0x/A8Zxo4Mh0bh2t6gS0TzfSwirMKuziqy823fgrkERJ843W86YPZCYw4pVB+RE
P52JbZi7ri6nG30gKzSZWj03dHa/7bTeEv1YUNy7SbgnmEyYEVI98yMEqEMpLnIE
Sk/cnwhVyuEGnojzhlHPNFlSEy0fbz187zOzuZkxyh7xuqJ/OBsNTIYYcJeQMOSe
Ly1HOcoRA36fVn3CmfpyCheY7HLFpxMBF86PZxfLlMdyyPd3W+ltIPK0bCWgSM0Y
7YJpGauTgb4FK4tluM5RuLC4e3QvTzljES3gNDJAdvtPCHPUCcVsSg==
=U0NI
-END PGP SIGNATURE-
Apache Portable Runtime 1.2.12 Released
Apache Portable Runtime 1.2.12 Released The Apache Software Foundation and the Apache Portable Runtime Project are proud to announce the General Availability of version 1.2.12 of the APR Apache Portable Runtime library. The Project further announces the General Availability of APR-util version 1.2.12, the companion Apache Portable Utility library, and APR-iconv version 1.2.1, an alternative portable implementation of the 'iconv' library. In conjunction with this release, the project also announces the General Availability of legacy version 0.9.17 release of the older APR 0.x library. Corresponding versions of its companion libraries APR-util version 0.9.15 and APR-iconv version 0.9.7 remain current. APR is available for download from: http://apr.apache.org/download.cgi This version of APR is principally a bug fix release, including fixes for specific platforms' configuration, feature detection, and run time behavior. Most developers are encouraged to adopt the latest APR 1.x version to ensure the most comprehensive support and access to the latest features and enhancements. The mission of the Apache Portable Runtime Project is to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The primary goal is to provide an API to which software developers may code and be assured of predictable if not identical behavior regardless of the platform on which their software is built, relieving them of the need to code special-case conditions to work around or take advantage of platform-specific deficiencies or features. APR and its companion libraries are implemented entirely in C and provide a common programming interface across a wide variety of operating system platforms without sacrificing performance. Currently supported platforms include: UNIX variants Windows Netware Mac OS X OS/2 To give a brief overview, the primary core subsystems of APR 1.2 include the following: Atomic operations Dynamic Shared Object loading File I/O Locks (mutexes, condition variables, etc) Memory management (high performance allocators) Memory-mapped files Multicast Sockets Network I/O Shared memory Thread and Process management Various data structures (tables, hashes, priority queues, etc) For a more complete list, please refer to the following URLs: http://apr.apache.org/docs/apr/modules.html http://apr.apache.org/docs/apr-util/modules.html Users of APR 0.9 should be aware that migrating to the APR 1.x programming interfaces may require some adjustments; APR 1.x is neither source nor binary compatible with earlier APR 0.9 releases. Users of APR 1.x can expect consistent interfaces and binary backwards compatibility throughout the entire APR 1.x release cycle, as defined in our versioning rules: http://apr.apache.org/versioning.html APR is already used extensively by the Apache HTTP Server version 2 and the Subversion revision control system, to name but a few. We list many known projects using APR at http://apr.apache.org/projects.html -- so please let us know if you find our libraries useful in your own projects!
[Announce] Apache HTTP Server (httpd) 2.2.15 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release and immediate availability of version
2.2.15 of the Apache HTTP Server ("httpd"). This version of httpd is
principally a security and bug fix release.
Notably, this release was updated to reflect the OpenSSL Project's
release 0.9.8m of the openssl library, and addresses CVE-2009-3555
(cve.mitre.org), the TLS renegotiation prefix injection attack.
This release further addresses the issues CVE-2010-0408, CVE-2010-0425
and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers
respectively.
We consider this release to be the best version of httpd available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.15 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.15 provides the
complete list of changes since 2.2.14. A summary of security
vulnerabilities which were addressed in the previous 2.2.14 and earlier
releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
Apache HTTP Server 2.2.15 is compatible with Apache Portable Runtime
(APR) versions 1.3 and 1.4, APR-util library version 1.3, and
APR-iconv library version 1.2. The most current releases should
be used to address known security and platform bugs. At the time of
this httpd release, the recommended APR releases are:
* Apache Portable Runtime (APR) library version 1.4.2 (bundled),
or at minimum, version 1.3.12
* ARR-util library version 1.3.9 (bundled)
* APR-iconv library version 1.2.1 (only bundled in win32-src.zip)
Older releases of these libraries have known vulnerabilities or other
defects affecting httpd. For further information and downloads, visit:
http://apr.apache.org/
Apache HTTP Server 2.2 offers numerous enhancements, bug fixes, and
performance enhancements over the 2.0 codebase. For an overview of
new features introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds upon and extends the httpd 2.0 API. Modules written
for httpd 2.0 will need to be recompiled in order to run with httpd 2.2,
and may require minimal or no source code changes.
When upgrading or installing this version of httpd, please bear in mind
that if you intend to use httpd with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
[advisory] httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068
Vulnerability; httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068 Classification; important Description; A timeout detection flaw in the httpd mod_proxy_http module causes proxied response to be sent as the response to a different request, and potentially served to a different client, from the HTTP proxy pool worker pipeline. This may represent a confidential data revealing flaw. This affects only Netware, Windows or OS2 builds of httpd version 2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha, when the proxy worker pools have been enabled. Earlier 2.2, 2.0 and 1.3 releases were not affected. Acknowledgements; We would like to thank Loren Anderson for the thorough research and reporting of this flaw. Mitigation; Apply any one of the following mitigations to avert the possibility of confidential information disclosure. * Do not load mod_proxy_http. * Do not configure/enable any http proxy worker pools with ProxySet or ProxyPass optional arguments. * The straightforward workaround to disable mod_proxy_http's reuse of backend connection pipelines is to set the following global directive; SetEnv proxy-nokeepalive 1 * Replace mod_proxy_http.so with a patched version, for source code see http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/ or http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/ and for binaries see the http://www.apache.org/dist/httpd/binaries/ tree for win32 or netware, as appropriate. * Upgrade to Apache httpd 2.2.16 or higher, once released. There is no tentative release date scheduled. Update Released; 11th June 2010
[announce] Apache HTTP Server 2.2.17 and 2.0.64 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.17 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a bug fix
release, and a security fix release of the APR-util 1.3.10 dependency;
* SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against apr_brigade_split_line().
* SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
Fix two buffer over-read flaws in the bundled copy of expat which
could cause httpd to crash while parsing specially-crafted
XML documents.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.17 is available for download from:
http://httpd.apache.org/download.cgi
Apache HTTP Server 2.0.64 legacy release is also currently available,
with the same vulnerability correction as well as many others fixed in
2.2.16 and earlier releases. See the corresponding CHANGES files linked
from the download page. The Apache HTTP Project developers strongly
encourage all users to migrate to Apache 2.2, as only limited and less
frequent maintenance is provided for legacy versions.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.17 provides the
complete list of changes since 2.2.16. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.2
and APR Utility Library (APR-util) version 1.3.10, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
[Announce] Apache HTTP Server 2.2.18 Released
Apache HTTP Server 2.2.18 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.18 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a bug fix
release, and a security fix release of the APR 1.4.4 dependency;
* SECURITY: CVE-2011-0419 (cve.mitre.org)
apr_fnmatch flaw leads to mod_autoindex remote DoS
Where mod_autoindex is enabled, and a directory indexed by
mod_autoindex contained files with sufficiently long names,
a carefully crafted request may cause excessive CPU usage
Upgrading to APR 1.4.4, or setting the 'IgnoreClient' option
of the 'IndexOptions' directive circumvents this risk.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.18 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.18 provides the
complete list of changes since 2.2.17. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.4
and APR Utility Library (APR-util) version 1.3.11, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
[Announce] Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11
New releases are in progress for each of these projects and are
expected to be available in the coming days. The upcoming httpd
2.2.19 will bundle new releases of apr and apr-util which correct
the regressions described below. An announcement of these releases
will be broadcast.
Note: httpd 2.2.18 bundles apr 1.4.4 and apr-util 1.3.11.
Summary of regressions:
httpd 2.2.18: The ap_unescape_url_keep2f() function signature was changed.
This breaks binary compatibility of a number of third-party modules. In
addition, a regression in apr 1.4.4 (see below) could cause httpd to hang.
apr 1.4.4: A fix in apr 1.4.4 apr_fnmatch() to address CVE-2011-0419
introduced a new vulnerability. A patch is attached and should be used
if httpd workers enter a hung state (100% cpu utilization) after updating
to httpd 2.2.18 or apr-util 1.4.4, or if hangs are seen in other apr
applications which use apr_fnmatch().
apr-util 1.3.11: A fix to LDAP support in apr-util 1.3.11 could cause
crashes with httpd's mod_authnz_ldap in some situations.
--- srclib\apr\strings\apr_fnmatch.orig Mon May 02 23:51:24 2011
+++ srclib\apr\strings\apr_fnmatch.cWed May 18 13:09:52 2011
@@ -196,7 +196,10 @@
const char *mismatch = NULL;
int matchlen = 0;
-while (*pattern)
+if (*pattern == '*')
+goto firstsegment;
+
+while (*pattern && *string)
{
/* Match balanced slashes, starting a new segment pattern
*/
@@ -207,6 +210,7 @@
++string;
}
+firstsegment:
/* At the beginning of each segment, validate leading period behavior.
*/
if ((flags & APR_FNM_PERIOD) && (*string == '.'))
@@ -361,9 +365,9 @@
return APR_FNM_NOMATCH;
}
-/* pattern is at EOS; if string is also, declare success
+/* Where both pattern and string are at EOS, declare success
*/
-if (!*string)
+if (!*string && !*pattern)
return 0;
/* pattern didn't match to the end of string */
Apache HTTP Server 2.2.19 Released
Apache HTTP Server 2.2.19 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.19 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a bug fix
release, correcting regressions in the httpd 2.2.18 package; the use
of that previous 2.2.18 package is discouraged due to these flaws:
* SECURITY: CVE-2011-1928 (cve.mitre.org)
A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419
introduced a new vulnerability. httpd workers enter a hung state
(100% cpu utilization) after updating to APR 1.4.4. Upgrading to
APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3
or prior with the 'IgnoreClient' option of the 'IndexOptions'
directive will circumvent both issues.
* httpd 2.2.18: The ap_unescape_url_keep2f() function signature was
inadvertantly changed. This breaks binary compatibility of a number
of third-party modules. This httpd-2.2.19 package restores the
function signature provided by 2.2.17 and prior.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.19 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.19 provides the
complete list of changes since 2.2.18. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.5
and APR Utility Library (APR-util) version 1.3.12, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
Apache HTTP Server 2.2.21 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.21 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix release:
* SECURITY: CVE-2011-3348 (cve.mitre.org)
mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
unrecognized HTTP methods from marking ajp: balancer members
in an error state, avoiding denial of service.
* SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Further fixes to the handling of byte-range requests to use
less memory, to avoid denial of service. This patch includes fixes
to the patch introduced in release 2.2.20 for protocol compliance,
as well as the MaxRanges directive.
Note the further advisories on the state of CVE-2011-3192 will no longer
be broadcast, but will be kept up to date at;
http://httpd.apache.org/security/CVE-2011-3192.txt
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.21 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.21 provides the
complete list of changes since 2.2.19. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.5
and APR Utility Library (APR-util) version 1.3.12, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
Apache HTTP Server 2.2.22 Released
Apache HTTP Server 2.2.22 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.22 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix release, including the following significant security fixes:
* SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations.
* SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file.
* SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
* SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17.
* SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
cleanly.
* SECURITY: CVE-2012-0053 (cve.mitre.org)
Fixed an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
The Apache HTTP Project thanks halfdog, Context Information Security Ltd,
Prutha Parikh of Qualys, and Norman Hippert for bringing these issues to
the attention of the security team.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.22 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.22 includes only
those changes introduced since the prior 2.2 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.5
and APR Utility Library (APR-util) version 1.4.2, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
APR-util version 1.4 represents a minor version upgrade from earlier
httpd source distributions, which previously included version 1.3.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
Apache HTTP Server 2.2.24 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.24 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix maintenance release, including the following significant
security fixes:
* SECURITY: CVE-2012-3499 (cve.mitre.org)
Various XSS flaws due to unescaped hostnames and URIs HTML output in
mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
* SECURITY: CVE-2012-4558 (cve.mitre.org)
XSS in mod_proxy_balancer manager interface.
We consider the Apache HTTP Server 2.4.4 release to be the best version
of Apache available, and encourage users of 2.2 and all prior versions
to upgrade. This 2.2 maintenance release is offered for those unable
to do so at this time. For further details, see
http://www.apache.org/dist/httpd/Announcement2.4.txt
Apache HTTP Server 2.4.4 and 2.2.24 are available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.24 includes only
those changes introduced since the prior 2.2 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.6
and APR Utility Library (APR-util) version 1.4.1, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
APR-util version 1.4 represents a minor version upgrade from earlier
httpd source distributions, which previously included version 1.3.
This release builds on and extends the Apache 2.0 API and is superceeded
by the Apache 2.4 API. Modules written for Apache 2.0 or 2.4 will need
to be recompiled in order to run with Apache 2.2, and most will require
minimal or no source code changes.
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
[Announcment] Apache HTTP Server 2.2.27 Released
Apache HTTP Server 2.2.27 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.27 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix maintenance release.
CVE-2014-0098 (cve.mitre.org)
Segfaults with truncated cookie logging.
mod_log_config: Prevent segfaults when logging truncated
cookies. Clean up the cookie logging parser to recognize
only the cookie=value pairs, not valueless cookies.
CVE-2013-6438 (cve.mitre.org)
mod_dav: Keep track of length of cdata properly when removing
leading spaces. Eliminates a potential denial of service from
specifically crafted DAV WRITE requests
We consider the Apache HTTP Server 2.4 release to be the best version
of Apache available, and encourage users of 2.2 and all prior
versions to upgrade. This 2.2 maintenance release is offered for
those unable to upgrade at this time. For further details, see:
http://www.apache.org/dist/httpd/Announcement2.4.txt
Apache HTTP Server 2.4 and 2.2.27 are available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.27 includes only
those changes introduced since the prior 2.2 release. A summary of
all of the security vulnerabilities addressed in this and earlier
releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.5.0
and APR Utility Library (APR-util) version 1.5.3, bundled with the
tar and zip distributions. The APR libraries libapr and libaprutil
(and on Win32, libapriconv version 1.2.1) must all be updated to
ensure binary compatibility and address many known security and
platform bugs. APR version 1.5 and APR-util version 1.5 represent
minor version upgrades from earlier httpd 2.2 source distributions.
This release builds on and extends the Apache 2.0 API and is
superceeded by the Apache 2.4 API. Modules written for Apache 2.0
or 2.4 will need to be recompiled in order to run with Apache 2.2,
and most will require minimal or no source code changes.
When upgrading or installing this version of Apache, please bear in
mind that if you intend to use Apache with one of the threaded MPMs
(other than the Prefork MPM), you must ensure that any modules you
will be using (and the libraries they depend on) are thread-safe.
[Announce] Apache HTTP Server 2.2.29 Released
Apache HTTP Server 2.2.29 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.29 of the Apache HTTP
Server ("Apache"). (Note that 2.2.28 was not released). This version
of Apache is principally a security and bug fix maintenance release,
and addresses these specific security defects as well as other fixes;
CVE-2014-0118 (cve.mitre.org)
mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to
avoid denial of sevice via highly compressed bodies. See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
and DeflateInflateRatioBurst.
CVE-2014-0231 (cve.mitre.org)
mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child processes
filling up the scoreboard and eventually hanging the server. By
default, the client I/O timeout (Timeout directive) now applies to
communication with scripts. The CGIDScriptTimeout directive can be
used to set a different timeout for communication with scripts.
CVE-2014-0226 (cve.mitre.org)
Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow.
CVE-2013-5704 (cve.mitre.org)
HTTP trailers could be used to replace HTTP headers late during
request processing, potentially undoing or otherwise confusing
modules that examined or modified request headers earlier.
Adds "MergeTrailers" directive to restore this legacy behavior.
We consider the Apache HTTP Server 2.4 release to be the best version
of Apache available, and encourage users of 2.2 and all prior versions
to upgrade. This 2.2 maintenance release is offered for those unable
to upgrade at this time. For further details, see:
http://www.apache.org/dist/httpd/Announcement2.4.txt
Apache HTTP Server 2.4 and 2.2.29 are available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.29 includes only
those changes introduced since the prior 2.2 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.5.1
and APR Utility Library (APR-util) version 1.5.3, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
APR version 1.5 and APR-util version 1.5 represent minor version upgrades
from earlier httpd 2.2 source distributions.
This release builds on and extends the Apache 2.0 API and is superceeded
by the Apache 2.4 API. Modules written for Apache 2.0 or 2.4 will need
to be recompiled in order to run with Apache 2.2, and most will require
minimal or no source code changes.
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
[Announcement] Apache HTTP Server 2.2.34 Released
July 11, 2017
The Apache Software Foundation and the Apache HTTP Server Project
announce the release of version 2.2.34 of the Apache HTTP Server
("Apache"), the final maintenance release of the 2.2 series. No
further 2.2 releases are anticipated. This version of Apache is
principally a security and bug fix maintenance release.
We consider the current Apache HTTP Server 2.4 release to be the best
version of Apache available, and encourage every user of 2.2 and all
prior versions to upgrade. This final 2.2 release is offered for those
unable to upgrade at this moment.
Take note that Apache Web Server Project will provide no future release
of the 2.2.x series, although some security patches may be published
through December of 2017. These will be collected at the URL;
http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/
No further maintenance patches of 2.2.x will be published. Users are
strongly encouraged to promptly complete their transitions to the
2.4.x flavor of httpd to receive any future benefit from the user
community or the Apache HTTP Server project developers.
For further details about the currently supported release, see:
http://www.apache.org/dist/httpd/Announcement2.4.txt
Apache HTTP Server 2.4 and 2.2.34 are available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.34 includes only
those changes introduced since the prior 2.2 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_22.html
Note that the Apache HTTP Server project will discontinue evaluations
and corresponding advisories to this resource effective January, 2018.
This release includes the Apache Portable Runtime (APR) version 1.5.2
and APR Utility Library (APR-util) version 1.5.4, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
APR version 1.5 and APR-util version 1.5 represent minor version upgrades
from earlier httpd 2.2 source distributions.
Note this package also includes very stale and known-vulnerable versions
of the Expat [http://expat.sourceforge.net/] and PCRE [http://www.pcre.org/]
packages. Users are strongly encouraged to first install the most recent
versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.)
This release builds on and extends the Apache 2.0 API and is superceeded
by the Apache 2.4 API. Modules written for Apache 2.2 will need to be
recompiled in order to run with Apache 2.4, and most will require minimal
or no source code changes.
CVE-2017-9789: Apache httpd 2.4 Read after free in mod_http2
CVE-2017-9789: Read after free in mod_http2.c Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.26 Description: When under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour. Mitigation: 2.4.26 users of mod_http2 should upgrade to 2.4.27. Credit: The Apache HTTP Server security team would like to thank Robert Święcki for reporting this issue. References: https://httpd.apache.org/security_report.html
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest Severity: Important Vendor: The Apache Software Foundation Versions Affected: all versions through 2.2.33 and 2.4.26 Description: The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault Mitigation: All users of httpd should upgrade to 2.4.27 (or minimally 2.2.34, which will receive no further security releases.) Alternately, the administrator could configure httpd to reject requests with a header matching a complex regular expression identifing where = character does not occur in the first key=value pair, as in the following syntax; [Proxy-]Authorization: Digest key[,key=value] Credit: The Apache HTTP Server security team would like to thank Robert Święcki for reporting this issue. References: https://httpd.apache.org/security_report.html
[Announcement] Apache HTTP Server 2.4.28 Released
Apache HTTP Server 2.4.28 Released
October 5, 2017
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.28 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
a security, feature, and bug fix release.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.4.28 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.4 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.28 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_24.html
Of particular note in this release is 1 SECURITY item:
o SECURITY: CVE-2017-9798 (cve.mitre.org)
Corrupted or freed memory access. or the
RegisterHttpMethod directive must be given in the startup
configuration (httpd.conf) to register non-standard HTTP methods
before listing them in an .htaccess files.
This release requires the Apache Portable Runtime (APR), minimum
version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
require the 1.6.x version of both APR and APR-Util. The APR libraries
must be upgraded for all features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
Please note that while the Apache HTTP Server Project may publish some
security patches to the 2.2.x flavor through at least December of 2017,
no further maintenance patches of 2.2.x will be considered and no further
releases will be distributed. The 2.2.x branch has now reached the end of
its maintenance, and users are strongly encouraged to promptly complete
their transitions to this 2.4.x flavor of httpd to benefit from security
and bug fixes, as well as new features.
