Apache Rushes to Fix Serious DoS Hole

The Apache Software Foundation has
rushed out another update to the Apache 2.0 HTTP Server because of a
significant denial-of-service vulnerability discovered and reported by
security research firm iDefense.

An announcement
from the Foundation warned that prior Apache 2.0 versions through 2.0.44
contained a serious DoS flaw .

Details of the
vulnerability have been embargoed until April 8, but the group wanted to issue a safe upgrade after an embarrassing incident last June, when a high-risk exploit was released on
security mailing lists
before a patch could be issued.

“No more specific information is disclosed at this time, but all Apache
2.0 users are encouraged to upgrade now,” the ASF said. The two security
flaws affect all platforms.

That June exploit made the rounds on the popular Bugtraq list with the warning
that the Apache exploit tool was “./friendly,” meaning anyone with basic
scripting capabilities “should be able to run it without any trouble.” The
release of the source code for the exploit added new fuel to the controversy
over how the bug announcement was handled. The original warning was first
reported by the ISS, causing friction between the security outfit and the
Apache Foundation.

Apache officials were upset they weren’t first notified before the ISS
issued its advisory and patch, a normal procedure when bugs are detected.

This time around, the Foundation is taking no chances, urging users to
upgrade immediately before details are released in a week’s time.

The latest Apache 2.0.45 release (download here) also
eliminates leaks of several file descriptors to child processes, such as CGI
scripts, which could constitute a security threat on servers that run
untrusted CGI scripts.

For OS2 users, Apache’s announcement contained an ominous warning that the 2.0.45 release would still contain the DoS vulnerability. The Foundation promised a fix for that flaw with an upcoming release of version 2.0.46 but insisted the DoS issues were “too important” to delay further.

Apache is an open-source Web server project developed and maintained by
volunteers within the ASF. Latest statistics from Netcraft show Apache dominating
the Web server market, with 63 percent, or nearly 24.5 million sites, well
ahead of server products from Microsoft and Sun
Microsystems .

News Around the Web