[ISN] Apache group issues update, warns of security hole

From: InfoSec News (isnat_private)
Date: Thu May 29 2003 - 02:50:39 PDT

  • Next message: InfoSec News: "[ISN] Lipner Steps Down as Head of MSRC"

    http://www.nwfusion.com/news/2003/0528apachgroup.html
    
    By Paul Roberts
    IDG News Service, 
    05/28/03
    
    For the second time in as many months, the Apache Software Foundation
    (ASF) released an updated version of the popular open source Web
    server software, only to warn users of a critical security hole in
    previous versions of the software that the update patches.
    
    The new version of Apache, 2.0.46, was described as "principally a
    security and bug fix release" in a bulletin released by the open
    source organization Wednesday.
    
    Among those fixes is a patch for a security hole in the mod_dav module
    that could be exploited remotely, causing an Apache Web server process
    to crash, according to the bulletin.
    
    Mod_dav is an open source module that provides WebDAV (World Wide Web
    Distributed Authoring and Versioning) protocol support for the Apache
    Web server.
    
    WebDAV is a set of extensions to HTTP that allows users to edit and
    manage files on remote Web servers. The protocol is designed to create
    interoperable, collaborative applications that facilitate
    geographically-dispersed "virtual" software development teams.
    
    Few details were available regarding the mod_dav vulnerability, which
    was first discovered and reported to the Foundation by a researcher at
    security firm iDefense.
    
    Further details regarding the problem will be published on Friday, the
    bulletin said.
    
    In March, Microsoft released a patch for a security hole in a core
    Windows component used to handle an unchecked buffer in a Windows 2000
    component used to handle the WebDAV protocol. That flaw, which has
    already been exploited by hackers, could enable an attacker to cause a
    buffer overflow on the machine running Internet Information Server,
    according to the Microsoft Security bulletin MS03-007.
    
    A second fix is for a denial-of-service vulnerability affecting
    Apache's authentication module.
    
    By exploiting a bug in configuration scripts used by a function for
    password validation, attackers could launch remote denial of service
    attacks that would cause valid user names and passwords to be
    rejected, the bulletin said.
    
    The vulnerabilities affect versions of Apache ranging from 2.0.37 up
    to the most recent release, 2.0.45, which came out in April.
    
    That latest version was also released in response to a heretofore
    unknown critical security flaw which, like the mod_dav vulnerability,
    was discovered by iDefense and described in detail at a later date.
    
    As with its last software update, the Apache Software Foundation said
    that 2.0.46 was the "best version of Apache available" and recommended
    that users of prior Apache versions upgrade.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu May 29 2003 - 05:26:51 PDT