Apache HTTP Server 2.2.3 Released
The Apache Software Foundation and The Apache HTTP Server
Project are
pleased to announce the release of version 2.2.3 of the
Apache HTTP Server
("Apache").
This version of Apache is principally a bug and security fix
release. The
following potential security flaws are addressed;
CVE-2006-3747: An off-by-one flaw exists in the Rewrite
module,
mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0
since 2.0.46,
and 2.2 since 2.2.0.
Depending on the manner in which Apache HTTP Server was
compiled, this
software defect may result in a vulnerability which, in
combination with
certain types of Rewrite rules in the web server
configuration files,
could be triggered remotely. For vulnerable builds, the
nature of the
vulnerability can be denial of service (crashing of web
server processes)
or potentially allow arbitrary code execution. This issue
has been rated
as having important security impact by the Apache HTTP
Server Security
Team.
This flaw does not affect a default installation of Apache
HTTP Server.
Users who do not use, or have not enabled, the Rewrite
module mod_rewrite
are not affected by this issue. This issue only affects
installations
using a Rewrite rule with the following characteristics:
* The RewriteRule allows the attacker to control the
initial part of the
rewritten URL (for example if the substitution URL
starts with $1)
* The RewriteRule flags do NOT include any of the
following flags:
Forbidden (F), Gone (G), or NoEscape (NE).
Please note that ability to exploit this issue is dependent
on the stack
layout for a particular compiled version of mod_rewrite. If
the compiler
used to compile Apache HTTP Server has added padding to the
stack
immediately after the buffer being overwritten, it will not
be possible to
exploit this issue, and Apache HTTP Server will continue
operating
normally.
The Apache HTTP Server project recommends that all users who
have built
Apache from source apply the patch or upgrade to the latest
level and
rebuild. Providers of Apache-based web servers in
pre-compiled form will
be able to determine if this vulnerability applies to their
builds. That
determination has no bearing on any other builds of Apache
HTTP Server,
and Apache HTTP Server users are urged to exercise caution
and apply
patches or upgrade unless they have specific instructions
from the
provider of their web server. Statements from vendors can be
obtained from
the US-CERT vulnerability note for this issue at:
http://www.kb.c
ert.org/vuls/id/395412
The Apache HTTP Server project thanks Mark Dowd of McAfee
Avert Labs for
the responsible reporting of this vulnerability.
We consider this release to be the best version of Apache
available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.3 is available for download from:
http://httpd.apa
che.org/download.cgi
Apache 2.2 offers numerous enhancements, improvements, and
performance
boosts over the 2.0 codebase. For an overview of new
features introduced
since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download
page, for a full
list of changes.
Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are
also available
with this security fix. See the appropriate CHANGES from the
url above.
The Apache HTTP Project developers strongly encourage all
users to
migrate to Apache 2.2, as only limited maintenance is
performed on these
legacy versions.
This release includes the Apache Portable Runtime (APR)
version 1.2.7
bundled with the tar and zip distributions. The APR
libraries libapr,
libaprutil, and (on Win32) libapriconv must all be updated
to ensure
binary compatibility and address many known platform bugs.
This release builds on and extends the Apache 2.0 API.
Modules written for
Apache 2.0 will need to be recompiled in order to run with
Apache 2.2, but
no substantial reworking should be necessary.
http://svn.apache.org/repos/asf/httpd/httpd
/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please
bear in mind
that if you intend to use Apache with one of the threaded
MPMs, you must
ensure that any modules you will be using (and the libraries
they depend
on) are thread-safe.
|