RealTime IT News

Open Source Apache Server 2.0.x Updated for the Last Time

apacheFrom the 'yum-update/apt-get upgrade RIGHT NOW' files:

The Apache Software Foundation is out with a pair of important updates to its namesake Apache HTTP Server.

The new updates are the Apache 2.0.65 and Apache 2.2.25 releases. Of particular note is the fact that the Apache 2.0.65 release is the final release of the Apache 2.0.x line of HTTP server.

Apache 2.0 was first released back in April of 2002, giving this open source web server platform an astonishing 11 years of support.

The final Apache 2.0.x release is number 2.0.65 and includes fixes for at least six security flaws. Those flaws include:

  •  CVE-2013-1862 (cve.mitre.org)      
    mod_rewrite: Ensure that client data written to the RewriteLog is      
    escaped to prevent terminal escape sequences from entering the      
    log file.    
  • CVE-2012-0053 (cve.mitre.org)    
     Fix an issue in error responses that could expose "httpOnly"    
    cookies when no custom ErrorDocument is specified for status code    
    400.  
  •   CVE-2012-0031 (cve.mitre.org)      
    Fix scoreboard issue which could allow an unprivileged child    
    process to cause the parent to crash at shutdown rather than    
    terminate cleanly.
  •     CVE-2011-3368 (cve.mitre.org)    
     Reject requests where the request-URI does not match the HTTP      
    specification, preventing unexpected expansion of target URLs in      
    some reverse proxy configurations.
  •     CVE-2011-3192 (cve.mitre.org)    
     core: Fix handling of byte-range requests to use less memory, to    
    avoid denial of service. If the sum of all ranges in a request is    
    larger than the original file, ignore the ranges and send the    
    complete file.
  •     CVE-2011-3607 (cve.mitre.org)    
     Fix integer overflow in ap_pregsub() which, when the mod_setenvif    
    module is enabled, could allow local users to gain privileges via    
    a .htaccess file.

Apache is also updating its new Apache 2.2.x web server to version 2.2.25 for a pair of vulnerabilities including:      

  •    * SECURITY: CVE-2013-1896 (cve.mitre.org)    
     mod_dav: Sending a MERGE request against a URI handled by      
    mod_dav_svn with the source href (sent as part of the request body      
    as XML) pointing to a URI that is not configured for DAV will      
    trigger a segfault.
  •    * SECURITY: CVE-2013-1862 (cve.mitre.org)    
     mod_rewrite: Ensure that client data written to the RewriteLog is      
    escaped to prevent terminal escape sequences from entering the      
    log file.

While Apache 2.2.x is likely more widely deployed at this point, the Apache 2.4.x branch is currently the leading edge of Apache Web Server production code. Apache 2.4.x is still relatively news having only first debuted in February of 2012.

Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.

Comment and Contribute