Security holes in Apache HTTP Server

Security holes in Apache HTTP Server

Summary: The open-source Apache Software Foundation has shipped a new version of its flagship Apache HTTPServer to fix several security vulnerabilities.

SHARE:
TOPICS: Open Source
9

The open-source Apache Software Foundation has shipped a new version of its flagship Apache HTTP Server to fix several security vulnerabilities.

The new Apache 2.2.17 contains patches for security holes that could lead to denial-of-service attacks, according to an advisory.

Here's the skinny on the vulnerabilities:follow Ryan Naraine on twitter

  • A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the worker MPM.
  • A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the worker MPM.
  • A flaw was found in the apr_brigade_split_line() function of the bundled APR-util library, used to process non-SSL requests. A remote attacker could send requests, carefully crafting the timing of individual bytes, which would slowly consume memory, potentially leading to a denial of service.

The patched Apache HTTP Server 2.2.17 is available for download here.

ALSO SEE:

Topic: Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • RE: Security holes in Apache HTTP Server

    Being the #1 HTTP Web Server is a target.
    Apache found the problem and issued a fix.

    Riding with Penguins in a World of Glass and Fruit.
    Hooay!
    daikon
    • Open Source many eyes

      @Linux Rocks

      Obviously open source failed. And continues to fail. Apache is raking up vuln after vuln. The 2.2.x strain is already at 38, Microsofts IIS7 has experienced a measly 5 vulns. And IIS7 is also an application server - which Apache is not.
      honeymonster
      • RE: Security holes in Apache HTTP Server

        @honeymonster

        Vunerabilities, but [b]no known exploits[/b] to go with them.

        Epic fail for you, shill.
        ahh so
    • If, if then maybe possibly

      "IF" is a crucial word in each case and so is the idea that an attacker "might be able to ..." if all the ifs line up tidily.
      Tom6
  • Nice try, Lovey my mistake Honey.

    Measly 5, 5 is not zero. I would say that is a failure.
    If you can't dazzle em with Brilliance, baffle em with bull puckey.

    Riding with Penguins in a World or Glass and Fruit.
    Hooay!
    daikon
    • RE: Security holes in Apache HTTP Server

      @Linux Rocks Agree... and the Open Source vulnerabilities are quickly addressed and fixed. Can someone say the same about the Glass? Finding 5 does not mean all were found...
      FuzzyIce
  • RE: Security holes in Apache HTTP Server

    As Linux Rocks points out , being #1 server is to attract the most detractors, issues have been found and fixed so it's not really a crisis situation!
    minimallinux
    • RE: Security holes in Apache HTTP Server

      @Terminator3000
      The fix is there if all the admins update.
      No software/OS/Web server is 100% perfect. You do what ever you can to try and get to that 100%.

      Used to be you could use a bolt cutter to cut a lock, now you have locks that a standard bolt cutter can not cut. If you don't have a key the lock will not open, until you find a better lock cutter or get the key.

      Riding with Penguins in a World of Glass and fruit.
      Hooay!
      daikon
  • RE: Security holes in Apache HTTP Server

    @Linux Rocks
    You also forgot to mention how many updates have been to the .net libraries!

    I am a programmer and I ask you this show me one application software out there that has no bugs in it.
    Pro Covers FX