ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Security holes in Apache HTTP Server

By | October 20, 2010, 6:58am PDT

Summary: The open-source Apache Software Foundation has shipped a new version of its flagship Apache HTTP Server to fix several security vulnerabilities.

The open-source Apache Software Foundation has shipped a new version of its flagship Apache HTTP
Server to fix several security vulnerabilities.

The new Apache 2.2.17 contains patches for security holes that could lead to denial-of-service attacks, according to an advisory.

Here’s the skinny on the vulnerabilities:follow Ryan Naraine on twitter

  • A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the worker MPM.
  • A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the worker MPM.
  • A flaw was found in the apr_brigade_split_line() function of the bundled APR-util library, used to process non-SSL requests. A remote attacker could send requests, carefully crafting the timing of individual bytes, which would slowly consume memory, potentially leading to a denial of service.

The patched Apache HTTP Server 2.2.17 is available for download here.

ALSO SEE:

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apache Software Foundation, Apache Web Server, Apache HTTP Server 2.2.17, Open Source, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

10
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Security holes in Apache HTTP Server
lovedong 13th Sep
beautiful post, torwhore! wink replica watches
View in thread
0 Votes
+ -
RE: Security holes in Apache HTTP Server
daikon 20th Oct 2010
Being the #1 HTTP Web Server is a target.
Apache found the problem and issued a fix.

Riding with Penguins in a World of Glass and Fruit.
Hooay!
0 Votes
+ -
Open Source many eyes
honeymonster 20th Oct 2010
@Linux Rocks

Obviously open source failed. And continues to fail. Apache is raking up vuln after vuln. The 2.2.x strain is already at 38, Microsofts IIS7 has experienced a measly 5 vulns. And IIS7 is also an application server - which Apache is not.
0 Votes
+ -
RE: Security holes in Apache HTTP Server
ahh so 20th Oct 2010
@honeymonster

Vunerabilities, but no known exploits to go with them.

Epic fail for you, shill.
0 Votes
+ -
If, if then maybe possibly
Tom6 Updated - 20th Oct 2010
"IF" is a crucial word in each case and so is the idea that an attacker "might be able to ..." if all the ifs line up tidily.
0 Votes
+ -
RE: Security holes in Apache HTTP Server
lovedong 13th Sep
beautiful post, torwhore! wink replica watches
0 Votes
+ -
Nice try, Lovey my mistake Honey.
daikon 20th Oct 2010
Measly 5, 5 is not zero. I would say that is a failure.
If you can't dazzle em with Brilliance, baffle em with bull puckey.

Riding with Penguins in a World or Glass and Fruit.
Hooay!
0 Votes
+ -
RE: Security holes in Apache HTTP Server
FuzzyIce 20th Oct 2010
@Linux Rocks Agree... and the Open Source vulnerabilities are quickly addressed and fixed. Can someone say the same about the Glass? Finding 5 does not mean all were found...
0 Votes
+ -
RE: Security holes in Apache HTTP Server
Terminator3000 20th Oct 2010
As Linux Rocks points out , being #1 server is to attract the most detractors, issues have been found and fixed so it's not really a crisis situation!
0 Votes
+ -
RE: Security holes in Apache HTTP Server
daikon 20th Oct 2010
@Terminator3000
The fix is there if all the admins update.
No software/OS/Web server is 100% perfect. You do what ever you can to try and get to that 100%.

Used to be you could use a bolt cutter to cut a lock, now you have locks that a standard bolt cutter can not cut. If you don't have a key the lock will not open, until you find a better lock cutter or get the key.

Riding with Penguins in a World of Glass and fruit.
Hooay!
0 Votes
+ -
RE: Security holes in Apache HTTP Server
Pro Covers FX 20th Oct 2010
@Linux Rocks
You also forgot to mention how many updates have been to the .net libraries!

I am a programmer and I ask you this show me one application software out there that has no bugs in it.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix