Apache 2.0.46 Hits the 'Net and Fixes Two Vulnerabilities
The Apache Software Foundation and the Apache HTTP Server Project have announced the release of Apache 2.0.46, which the organizations say is primarily a security and big fix release that addresses two vulnerabilities. Apache 2.0.46 has been released, patching a pair of vulnerabilities that could cause the server to crash or allow a denial-of-service attack that keeps users from authenticating.
In the release announcement, the organizations reported that "Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in certain circumstances. This can be triggered remotely through mod_dav and possibly other mechanisms." According to the announcement, specific information on the vulnerability will be published Friday, May 30. Though the organizations declined to provide further information, they did note that "all Apache 2.0 users are encouraged to upgrade now," and pointed to the Common Vulnerabilities and Exposures (CVE) page at mitre.org where the vulnerability can be tracked.
In addition, the announcement noted that "Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were vulnerable to a denial-of-service attack on the basic authentication module," which could "[allow] remote attackers to create a denial of service which causes valid usernames and passwords for Basic Authentication to fail until Apache is restarted. We do not believe this bug could allow unauthorized users to gain access to protected resources." The vulnerability also has a CVE page where it can be tracked.
As with releases since version 2.0.42 of the Apache Web server, this release is compatible with modules compiled for 2.0.42 and later versions.
Apache 2.0.46 is available for download from http://httpd.apache.org/download.cgi, where a more complete change log may also be found.