From the ‘Why Are You Still Running 1.3.x?’ files:
Nearly two weeks ago, the Apache Software Foundation updated its namesake Apache HTTP webserver with new 2.0.65 and 2.2.25 releases.
What was noticeably absent was an update to the current leading edge – Apache 2.4.x
That’s no longer the case as Apache has now released Apache 2.4.6
The Apache 2.4.6 update includes two security updates, one of which (CVE-2013-1896 )was patched two weeks ago in the 2.2.25 update. It’s unclear to me why the leading edge of HTTP is two week behind a security patch of the non-leading edge, but it is a cause for concern.
SECURITY: CVE-2013-1896 (cve.mitre.org)
mod_dav: Sending a MERGE request against a URI handled by
mod_dav_svn with the source href (sent as part of the request body
as XML) pointing to a URI that is not configured for DAV will
trigger a segfault.
In addition the other fix is:
SECURITY: CVE-2013-2249 (cve.mitre.org)
mod_session_dbd: Make sure that dirty flag is respected when saving
sessions, and ensure the session ID is changed each time the session
changes. This changes the format of the updatesession SQL statement.
Existing configurations must be changed.
The Apache 2.4.6 update isn’t just about security though, it also includes the mod_macro module which is intended to enable easier configuration management.
According to Apache:
“This modules provides macros within apache runtime configuration files. These macros have parameters. They are expanded when used (parameters are substituted by their values given as an argument), and the result is processed normally.”
Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.