The Apache Software Foundation has
rushed out another update to the Apache 2.0 HTTP Server because of a
significant denial-of-service vulnerability discovered and reported by
security research firm iDefense.
An announcement “No more specific information is disclosed at this time, but all Apache That June exploit made the rounds on the popular Bugtraq list with the warning Apache officials were upset they weren’t first notified before the ISS This time around, the Foundation is taking no chances, urging users to The latest Apache 2.0.45 release (download here) also For OS2 users, Apache’s announcement contained an ominous warning that the 2.0.45 release would still contain the DoS vulnerability. The Foundation promised a fix for that flaw with an upcoming release of version 2.0.46 but insisted the DoS issues were “too important” to delay further. Apache is an open-source Web server project developed and maintained by
from the Foundation warned that prior Apache 2.0 versions through 2.0.44
contained a serious DoS flaw
Details of the
vulnerability have been embargoed until April 8, but the group wanted to issue a safe upgrade after an embarrassing incident last June, when a high-risk exploit was released on
security mailing lists before a patch could be issued.
2.0 users are encouraged to upgrade now,” the ASF said. The two security
flaws affect all platforms.
that the Apache exploit tool was “./friendly,” meaning anyone with basic
scripting capabilities “should be able to run it without any trouble.” The
release of the source code for the exploit added new fuel to the controversy
over how the bug announcement was handled. The original warning was first
reported by the ISS, causing friction between the security outfit and the
Apache Foundation.
issued its advisory and patch, a normal procedure when bugs are detected.
upgrade immediately before details are released in a week’s time.
eliminates leaks of several file descriptors to child processes, such as CGI
scripts, which could constitute a security threat on servers that run
untrusted CGI scripts.
volunteers within the ASF. Latest statistics from Netcraft show Apache dominating
the Web server market, with 63 percent, or nearly 24.5 million sites, well
ahead of server products from Microsoft and Sun
Microsystems .