The Apache project has released two new versions of its HTTP
server software, providing bug and security fixes for the primary
development branches, versions 1.3 and 2.0. Both releases address
problems in a pair of modules meant to
handle redirecting web clients to alternate web pages.
Under fairly complex configurations, mod_rewrite and mod_alias, modules that
allow administrators to create rules under which visitors to a
URL matching certain characteristics are automatically redirected to
an alternate location, suffered from buffer overflows, which can
cause software to crash or compromise a server’s security. The
vulnerability has
been identified in the Common Vulnerabilies and Exposures (CVE)
database, but no further information has been provided yet, a common
practice that allows software developers to patch critical holes
before information on how to exploit them is made public.
Apache 2.0.48 includes a patch for a second vulnerability in its
mod_cgid, which could result in CGI output being directed to the
wrong client in certain circumstances. As with the other
vulnerabillity, the bug has been identified but left
largely undocumented by the CVE Web site.
In addition to the security fix, Apache 2.0.48, the newer of the
two development branches, includes numerous bug fixes but no new
features. A complete list of patches may be found in the project’s
official release announcement.
Apache 1.3.29, which represents the latest in the project’s older,
more Unix-oriented development line, does include one new feature
among the patches, enabling RFC1413-compliant ident functionality for
the Windows and NetWare platforms, as well as thread safe timeout
functionality for servers querying an ident daemon. Several other
patches and changes are documented in the server’s official
release announcement.
Both releases may be obtained from the Apache
Project’s download page.