Monday, 31 July 2006
Apache HTTP Server 2.2.3 Released |
| |
|
| |
The Apache HTTP Server Project has released version 2.2.3 of the Apache HTTP Server. It is a bug and security fix release as it fixes a security vulnerability in mod_rewrite. Depending on the manner in which Apache HTTP Server was compiled, the software defect may result in a vulnerability, which, in combination with certain types of 'Rewrite' rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service crashing of web server processes or potentially allow arbitrary code execution.
This flaw does not affect a default installation of Apache HTTP Server. The issue only affects installations using a Rewrite rule with the following characteristics:
- The 'RewriteRule' allows the attacker to control the initial part of the rewritten URL
- The 'RewriteRule' flags do not include flags like 'Forbidden (F)', 'Gone (G)', or 'NoEscape (NE)'
The Apache HTTP Server project recommends that all users who have built Apache from source apply the patch or upgrade to the latest level and rebuild. Providers of Apache-based web servers in pre-compiled form will be able to determine if the vulnerability applies to their builds. The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
|
| |
|
|
| |
|
|
| |
|
|
| |
|
