DoS Holes Plugged in Apache 2.0

As part of a deliberate effort to be proactive about security updates, the
Apache Software Foundation on Wednesday released a new version open-source
Apache 2.0 HTTP Server to fix two potentially serious denial-of-service
vulnerabilities.

The Foundation, which was burned in
the past
when a high-risk exploit was released on security mailing lists
before a patch could be issued, released version 2.0.46 of the server on
Wednesday but is withholding details of the security holes until users can
apply the upgrade.

(Apache 2.0.46 is available for download here).

The ASF said Apache versions 2.0.37
through 2.0.45 can be caused to crash in certain circumstances through
mod_dav and possibly other mechanisms but no further details would be
provided until Friday May 30.

Additionally, the Foundation said Apache versions 2.0.40 through 2.0.45
on Unix platforms were found to be vulnerable to a DoS attack on the basic
authentication module. “A bug in the configuration scripts caused the
apr_password_validate() function to be thread-unsafe on platforms with
crypt_r(), including AIX and Linux,” Apache explained.

The open source project, which is run by volunteers within the ASF, said
all versions of Apache 2.0 contain the thread-safety problem on platforms
with no crypt_r() and no thread-safe crypt(), such as Mac OS X and possibly
others.

Latest statistics from Netcraft show Apache dominating the Web server
market, with 63 percent, or 25 million sites, well ahead of server products
from Microsoft , Zeus and Sun Microsystems .

News Around the Web