Latest Apache release fixes DOS vulnerability

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/0403newapach.html

By Paul Roberts
IDG News Service
04/03/03

The latest release of Apache 2.0 fixes a number of security
vulnerabilities including an as-yet-undisclosed flaw that could be
used to launch a denial of service attack against machines running the
popular Web server, according to information released by the Apache
Software Foundation (ASF).

The new release, version 2.0.45, is intended "principally as a
security and bug fix release," according to the ASF.

First and foremost on the list of fixed vulnerabilities was a security
hole discovered by David Endler, director of Technical Intelligence at
security intelligence firm iDefense. Details on the vulnerability
discovered by Endler were not disclosed, but Apache 2.0 users were
encouraged to upgrade.

Endler will publish a report on the vulnerability on April 7,
according to the ASF.

Other, lower priority security leaks and bug fixes were also included
in the 2.0.45 release.

However, a known DOS vulnerability that affects those systems running
Apache on the OS/2 platform remains open. The latest Apache version
was "too important" to delay release until the OS/2 fix could be
included, the ASF said.

OS/2 users will have to wait for the release of 2.0.46 to get a fix
for that problem, the ASF said.

The decision by the ASF and iDefense to withhold information on a
major vulnerability for a week following the release of a patch stands
in contrast to prior revelations about security holes in the Apache
software.

In August, security company PivX Solutions released information on a
major vulnerability shortly after the ASF published a software patch
to fix the problem.

Users of all prior versions of Apache were encouraged to update to the
latest release.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.