From the ‘yum-update/apt-get upgrade RIGHT NOW’ files:
The Apache Software Foundation is out with a pair of important updates to its namesake Apache HTTP Server.
The new updates are the Apache 2.0.65 and Apache 2.2.25 releases. Of particular note is the fact that the Apache 2.0.65 release is the final release of the Apache 2.0.x line of HTTP server.
Apache 2.0 was first released back in April of 2002, giving this open source web server platform an astonishing 11 years of support.
The final Apache 2.0.x release is number 2.0.65 and includes fixes for at least six security flaws. Those flaws include:
- CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. - CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose “httpOnly”
cookies when no custom ErrorDocument is specified for status code
400. - CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child
process to cause the parent to crash at shutdown rather than
terminate cleanly. - CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. - CVE-2011-3192 (cve.mitre.org)
core: Fix handling of byte-range requests to use less memory, to
avoid denial of service. If the sum of all ranges in a request is
larger than the original file, ignore the ranges and send the
complete file. - CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif
module is enabled, could allow local users to gain privileges via
a .htaccess file.
Apache is also updating its new Apache 2.2.x web server to version 2.2.25 for a pair of vulnerabilities including:
- * SECURITY: CVE-2013-1896 (cve.mitre.org)
mod_dav: Sending a MERGE request against a URI handled by
mod_dav_svn with the source href (sent as part of the request body
as XML) pointing to a URI that is not configured for DAV will
trigger a segfault. - * SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file.
While Apache 2.2.x is likely more widely deployed at this point, the Apache 2.4.x branch is currently the leading edge of Apache Web Server production code. Apache 2.4.x is still relatively news having only first debuted in February of 2012.
Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.
