RealTime IT News

DoS Holes Plugged in Apache 2.0

As part of a deliberate effort to be proactive about security updates, the Apache Software Foundation on Wednesday released a new version open-source Apache 2.0 HTTP Server to fix two potentially serious denial-of-service vulnerabilities.

The Foundation, which was burned in the past when a high-risk exploit was released on security mailing lists before a patch could be issued, released version 2.0.46 of the server on Wednesday but is withholding details of the security holes until users can apply the upgrade.

(Apache 2.0.46 is available for download here).

The ASF said Apache versions 2.0.37 through 2.0.45 can be caused to crash in certain circumstances through mod_dav and possibly other mechanisms but no further details would be provided until Friday May 30.

Additionally, the Foundation said Apache versions 2.0.40 through 2.0.45 on Unix platforms were found to be vulnerable to a DoS attack on the basic authentication module. "A bug in the configuration scripts caused the apr_password_validate() function to be thread-unsafe on platforms with crypt_r(), including AIX and Linux," Apache explained.

The open source project, which is run by volunteers within the ASF, said all versions of Apache 2.0 contain the thread-safety problem on platforms with no crypt_r() and no thread-safe crypt(), such as Mac OS X and possibly others.

Latest statistics from Netcraft show Apache dominating the Web server market, with 63 percent, or 25 million sites, well ahead of server products from Microsoft , Zeus and Sun Microsystems .