Security holes in Apache HTTP Server

The open-source Apache Software Foundation has shipped a new version of its flagship Apache HTTPServer to fix several security vulnerabilities.

The open-source Apache Software Foundation has shipped a new version of its flagship Apache HTTP Server to fix several security vulnerabilities.

The new Apache 2.2.17 contains patches for security holes that could lead to denial-of-service attacks, according to an advisory.

Here's the skinny on the vulnerabilities:

follow Ryan Naraine on twitter

  • A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the worker MPM.
  • A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the worker MPM.
  • A flaw was found in the apr_brigade_split_line() function of the bundled APR-util library, used to process non-SSL requests. A remote attacker could send requests, carefully crafting the timing of individual bytes, which would slowly consume memory, potentially leading to a denial of service.

The patched Apache HTTP Server 2.2.17 is available for download here.

ALSO SEE:

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All