Apache Software Foundation poinformowała o wypuszczeniu wersji 2.0.47 popularnego serwera www. Tradycyjnie zachęca do aktualizacji systemów do tej wersji. Zachęta jest tym silniejsza, że wprowadzone poprawki uniemożliwiają kilka znanych ataków DoS. Więcej informacji na temat wprowadzonych zmian znajdziecie poniżej, a samego Apache’a można ściągnąć ze stron projektu.

  From striker@apache.org Wed Jul  9 19:00:55 2003  Date: Wed, 9 Jul 2003 14:01:31 +0200  From: Apache HTTP Server Projectb (striker@apache.org)  To: bugtraq@securityfocus.com  Subject: [ANNOUNCE][SECURITY] Apache 2.0.47 released    -----BEGIN PGP SIGNED MESSAGE-----  Hash: SHA1                             Apache 2.0.47 Released       The Apache Software Foundation and the Apache HTTP Server Project are     pleased to announce the tenth public release of the Apache 2.0     HTTP Server.  This Announcement notes the significant changes in     2.0.47 as compared to 2.0.46.         This version of Apache is principally a security and bug fix release.     A summary of the bug fixes is given at the end of this document.     Of particular note is that 2.0.47 addresses four security     vulnerabilities:       Certain sequences of per-directory renegotiations and the SSLCipherSuite     directive being used to upgrade from a weak ciphersuite to a strong one     could result in the weak ciphersuite being used in place of the strong     one.     [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192]       Certain errors returned by accept() on rarely accessed ports could cause     temporal denial of service, due to a bug in the prefork MPM.     [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0253]       Denial of service was caused when target host is IPv6 but ftp proxy     server can't create IPv6 socket.     [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0254]       The server would crash when going into an infinite loop due to too many     subsequent internal redirects and nested subrequests.     [VU#379828]       The Apache Software Foundation would like to thank Saheed Akhtar and     Yoshioka Tsuneo for the responsible reporting of two of these issues.         This release is compatible with modules compiled for 2.0.42 and later     versions.  We consider this release to be the best version of Apache     available and encourage users of all prior versions to upgrade.       Apache 2.0.47 is available for download from         http://httpd.apache.org/download.cgi       Please see the CHANGES_2.0 file, linked from the above page, for     a full list of changes.       Apache 2.0 offers numerous enhancements, improvements, and performance     boosts over the 1.3 codebase.  For an overview of new features introduced     after 1.3 please see         http://httpd.apache.org/docs-2.0/new_features_2_0.html       When upgrading or installing this version of Apache, please keep     in mind the following:       If you intend to use Apache with one of the threaded MPMs, you must     ensure that the modules (and the libraries they depend on) that you     will be using are thread-safe.  Please contact the vendors of these     modules to obtain this information.                             Apache 2.0.47 Major changes       Security vulnerabilities closed since Apache 2.0.46        *) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences         of per-directory renegotiations and the SSLCipherSuite directive         being used to upgrade from a weak ciphersuite to a strong one         could result in the weak ciphersuite being used in place of the         strong one.  [Ben Laurie]        *) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing         temporary denial of service when accept() on a rarely accessed port         returns certain errors.  Reported by Saheed Akhtar         (S.Akhtar@talis.com).  [Jeff Trawick]        *) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial         of service when target host is IPv6 but proxy server can't create         IPv6 socket.  Fixed by the reporter.  [Yoshioka Tsuneo         (tsuneo.yoshioka@f-secure.com)]        *) SECURITY [VU#379828] Prevent the server from crashing when entering         infinite loops. The new LimitInternalRecursion directive configures         limits of subsequent internal redirects and nested subrequests, after         which the request will be aborted.  PR 19753 (and probably others).         [William Rowe, Jeff Trawick, André Malo]         Bugs fixed and features added since Apache 2.0.46        *) core_output_filter: don't split the brigade after a FLUSH bucket if         it's the last bucket.  This prevents creating unneccessary empty         brigades which may not be destroyed until the end of a keepalive         connection.         [Juan Rivera (Juan.Rivera@citrix.com)]        *) Add support for "streamy" PROPFIND responses.         [Ben Collins-Sussman (sussman@collab.net)]        *) mod_cgid: Eliminate a double-close of a socket.  This resolves         various operational problems in a threaded MPM, since on the         second attempt to close the socket, the same descriptor was         often already in use by another thread for another purpose.         [Jeff Trawick]        *) mod_negotiation: Introduce "prefer-language" environment variable,         which allows to influence the negotiation process on request basis         to prefer a certain language.  [André Malo]        *) Make mod_expires' ExpiresByType work properly, including for         dynamically-generated documents.  [Ken Coar, Bill Stoddard]    -----BEGIN PGP SIGNATURE-----  Version: GnuPG v1.2.1 (GNU/Linux)    iD8DBQE/C2DDZjW2wN6IXdMRAm9BAKCBj7KgdN8sLTZpUFu5aVJTjyEJlQCePz3Y  QF51aRaqbVdSwZYxalnSC+Y=  =2mza  -----END PGP SIGNATURE-----    

Archiwalny news dodany przez użytkownika: honey.
Kliknij tutaj by zobaczyć archiwalne komentarze.

Oznaczone jako → 
Share →