The Apache Software Foundation on Monday released a new version of its
open-source Web server project to plug four potentially serious security
holes.
The latest update to the Apache 2.0 HTTP Server (version 2.0.47) is described
as a security and bug fix release to plug holes that could lead to
denial-of-service attacks
The Foundation warned that the SSLCipherSuite directive being used to
upgrade from a weak ciphersuite to a strong one could result in the weak
ciphersuite being used in place of the strong one. The previous Apache HTTP
Server version also contains a bug in the prefork MPM where certain errors
returned by accept() on rarely accessed ports could cause temporal
DoS.
Another DoS security vulnerability, caused when target host is IPv6, was
also patched. Apache explained that ftp proxy server can’t create IPv6
socket. The Apache Foundation also warned older versions of the server
would crash when going into an infinite loop because of too many subsequent
internal redirects and nested subrequests.
The Apache 2.0 HTTP Server project, which is developed and maintained by
volunteers, dominates the Web server market. At the end of June, Netcraft statistics found the Apache server commanding a 67
percent share (29 million sites) of the market, well ahead of competing
products from Microsoft and Sun Microsystems
.