----- Forwarded message from Brian Behlendorf -----
The Apache Group is pleased to announce the release of version 1.3.1
of the Apache HTTP server.
The changes in this release consist of UNIX portability fixes, Win32
security issues, and assorted other minor features or fixes.
WE URGE ALL USERS RUNNING ANY PREVIOUS VERSION OF APACHE ON WIN32
TO UPGRADE IMMEDIATELY.
Users on other platforms should review the CHANGES file and decide
on their upgrade plans; the security issues apply only to Apache
on Win32. We consider Apache 1.3.1 to be the most stable version
of Apache available.
Apache 1.3.1 is available for download from
http://www.apache.org/dist/
Please see the CHANGES file in the same directory for a full list of
changes. The distribution is also available via any of the mirrors
listed at
http://www.apache.org/mirrors/
For an overview of new features in 1.3 please see
http://www.apache.org/docs/new_features_1_3.html
In general, Apache 1.3 offers several substantial improvements
over version 1.2, including better performance, reliability
and a wider-range of supported platforms, including Windows 95 and
NT (which both fall under the "Win32" label).
Apache is the most popular web-server in the known universe; over
half of the servers on the Internet are running Apache or one of its
variants.
IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have
come to trust Apache as a secure and stable server. It must
be realized that the current Win32 code has not yet reached these
levels and should still be considered to be of beta quality. Any
Win32 stability or security problems do not impact, in any way,
Apache on other platforms. With the continued donation of time
and resources by individuals and companies, we hope that the Win32
version of Apache will grow stronger through the 1.3.x release
cycle.
Versions of Apache on Win32 prior to version 1.3.1 are vulnerable
to a number of security holes common to several Win32 servers.
The problems that impact Apache include:
- trailing "."s are ignored by the file system. This allowed
certain types of access restrictions to be bypassed.
- directory names of three or more dots (eg. "...") are
considered to be valid similar to "..". This allowed people
to gain access to files outside of the configured document
trees.
There have been at least four other similar instances of the same
basic problem: on Win32, there is more than one name for a file.
Some of these names are poorly documented or undocumented, and even
Microsoft's own IIS has been vulnerable to many of these problems.
This behavior of the Win32 file system and API makes it very difficult
to insure future security; problems of this type have been known
about for years, however each specific instance has been discovered
individually. It is unknown if there are other, yet unpublicized,
filename variants. As a result, we recommend that you use extreme
caution when dealing with access restrictions on all Win32 web
servers.
----- End of forwarded message from Brian Behlendorf -----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:07:39 PDT