Covalent Releases Information on Apache 2.0 Vulnerability
On August 9, 2002, the Apache Software Foundation issued a security advisory for non-Unix versions of Apache 2.0. Covalent announced that customers running any version of its following products are affected by this advisory.
Covalent Enterprise Ready Server 2.0-2.1.1 for Windows platforms (Windows 2000, Windows NT 4, Windows XP). On August 9, 2002, the Apache Software Foundation issued a security advisory for non-Unix versions of Apache 2.0. Covalent identified the versions of its products that are affected by this advisory.
Covalent Fast Start Server 3.0-3.1.1 for Windows platforms.
According to the company, the vulnerability does not affect any Fast Start versions previous to 3.x, and does not affect any UNIX/LINUX platforms.
Additional information: httpd.apache.org
Affects: All Released versions of 2.0 through 2.0.39
Fixed in: 2.0.40
The security vulnerability that was reported to and verified by the Apache Software Foundation allows an attacker to potentially inflict serious damage on a server, and reveal sensitive information. Covalent strongly recommends that all affected customers apply the solution to their Covalent Apache servers as soon as possible. A simple one-line addition to the Apache configuration file, httpsd.conf, closes the vulnerability.
Prior to the first 'Alias' or 'Redirect' directive, add the following directive to the global server configuration:
RedirectMatch 400 "\\\.\."
Fixes for this vulnerability are also included in Apache HTTP server version 2.0.40. The 2.0.40 release also contains fixes for two minor path-revealing exposures. This release of Apache is available at http://www.apache.org/dist/httpd/
More information will be made available by the Apache Software Foundation and Auriemma Luigi