Covalent Releases Information on Apache 2.0 Vulnerability

By ServerWatch Staff (Send Email)
Posted Aug 12, 2002


On August 9, 2002, the Apache Software Foundation issued a security advisory for non-Unix versions of Apache 2.0. Covalent announced that customers running any version of its following products are affected by this advisory.

Covalent Enterprise Ready Server 2.0-2.1.1 for Windows platforms (Windows 2000, Windows NT 4, Windows XP). On August 9, 2002, the Apache Software Foundation issued a security advisory for non-Unix versions of Apache 2.0. Covalent identified the versions of its products that are affected by this advisory.

Covalent Fast Start Server 3.0-3.1.1 for Windows platforms.

According to the company, the vulnerability does not affect any Fast Start versions previous to 3.x, and does not affect any UNIX/LINUX platforms.

Identifiers: CAN-2002-0661
Additional information: httpd.apache.org
Affects: All Released versions of 2.0 through 2.0.39
Fixed in: 2.0.40

The security vulnerability that was reported to and verified by the Apache Software Foundation allows an attacker to potentially inflict serious damage on a server, and reveal sensitive information. Covalent strongly recommends that all affected customers apply the solution to their Covalent Apache servers as soon as possible. A simple one-line addition to the Apache configuration file, httpsd.conf, closes the vulnerability.

Prior to the first 'Alias' or 'Redirect' directive, add the following directive to the global server configuration:

RedirectMatch 400 "\\\.\."

Fixes for this vulnerability are also included in Apache HTTP server version 2.0.40. The 2.0.40 release also contains fixes for two minor path-revealing exposures. This release of Apache is available at http://www.apache.org/dist/httpd/

More information will be made available by the Apache Software Foundation and Auriemma Luigi in the coming weeks.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.