Newest Apache Release Fixes Yet Undisclosed Vulnerability
The Apache Software Foundation and The Apache HTTP Server Project have announced the eighth public release of the Apache 2.0 HTTP Server. According to the groups, this release is oriented around security patches and bugfixes, though a denial of service vulnerability for OS/2 versions of the software still require a patch. The Apache Project has released version 2.0.45 of its Web server. Included are bug fixes and a security patch for a vulnerability the project won't report until next week.
Of the security patches in the new release, one is of potential interest because even though it's included, the details surrounding it have yet to be released, and won't be until April 7, giving users enough time to update their installations before information on the vulnerability, a potential denial of service attack, is released by its discoverer. The Common Vulnerability Exposure (CVE) database will include details at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132 once the vulnerability is fully announced.
The OS/2 source release also contains a denial of service vulnerability the project will include patches to in version 2.0.46. The patch can be downloaded at http://cvs.apache.org/viewcvs/apr/file_io/os2/filestat.c.diff?r1=1.34&r2=1.35, and must be applied before building on OS2. According to the project, the patch will already be applied to all OS2 binaries released for Apache 2.0.45. CVE details on this vulnerability are available at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0134
Since the release of Apache 2.0.42, the project has made efforts to retain forward compatibility between releases so users deploying the 2.0 series can upgrade without changing configurations or updating DSO modules. According to the project, users of earlier releases will need to recompile all modules in order to upgrade to 2.0.42 or later versions.
A full list of changes is available from those pages.