Apache Pushes Bug Fix, Security Releases Out the Door

Apache Pushes Bug Fix, Security Releases Out the Door


October 29, 2003

The Apache project has released two new versions of its HTTP server software, providing bug and security fixes for the primary development branches, versions 1.3 and 2.0. Both releases address problems in a pair of modules meant to handle redirecting web clients to alternate web pages.

Under fairly complex configurations, mod_rewrite and mod_alias, modules that allow administrators to create rules under which visitors to a URL matching certain characteristics are automatically redirected to an alternate location, suffered from buffer overflows, which can cause software to crash or compromise a server's security. The vulnerability has been identified in the Common Vulnerabilies and Exposures (CVE) database, but no further information has been provided yet, a common practice that allows software developers to patch critical holes before information on how to exploit them is made public.

Apache 2.0.48 includes a patch for a second vulnerability in its mod_cgid, which could result in CGI output being directed to the wrong client in certain circumstances. As with the other vulnerabillity, the bug has been identified but left largely undocumented by the CVE Web site.

In addition to the security fix, Apache 2.0.48, the newer of the two development branches, includes numerous bug fixes but no new features. A complete list of patches may be found in the project's official release announcement.

Apache 1.3.29, which represents the latest in the project's older, more Unix-oriented development line, does include one new feature among the patches, enabling RFC1413-compliant ident functionality for the Windows and NetWare platforms, as well as thread safe timeout functionality for servers querying an ident daemon. Several other patches and changes are documented in the server's official release announcement.

Both releases may be obtained from the Apache Project's download page.