You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@httpd.apache.org by "William A. Rowe, Jr." <wr...@apache.org> on 2006/07/28 16:44:41 UTC

[Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released

                    Apache HTTP Server 2.2.3 Released

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.2.3 of the Apache HTTP Server
("Apache").

This version of Apache is principally a bug and security fix release. The
following potential security flaws are addressed;

   CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
   mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
   and 2.2 since 2.2.0.

Depending on the manner in which Apache HTTP Server was compiled, this
software defect may result in a vulnerability which, in combination with
certain types of Rewrite rules in the web server configuration files,
could be triggered remotely. For vulnerable builds, the nature of the
vulnerability can be denial of service (crashing of web server processes)
or potentially allow arbitrary code execution. This issue has been rated
as having important security impact by the Apache HTTP Server Security
Team.

This flaw does not affect a default installation of Apache HTTP Server.
Users who do not use, or have not enabled, the Rewrite module mod_rewrite
are not affected by this issue. This issue only affects installations
using a Rewrite rule with the following characteristics:

  * The RewriteRule allows the attacker to control the initial part of the
    rewritten URL (for example if the substitution URL starts with $1)
  * The RewriteRule flags do NOT include any of the following flags:
    Forbidden (F), Gone (G), or NoEscape (NE).

Please note that ability to exploit this issue is dependent on the stack
layout for a particular compiled version of mod_rewrite. If the compiler
used to compile Apache HTTP Server has added padding to the stack
immediately after the buffer being overwritten, it will not be possible to
exploit this issue, and Apache HTTP Server will continue operating
normally.

The Apache HTTP Server project recommends that all users who have built
Apache from source apply the patch or upgrade to the latest level and
rebuild. Providers of Apache-based web servers in pre-compiled form will
be able to determine if this vulnerability applies to their builds. That
determination has no bearing on any other builds of Apache HTTP Server,
and Apache HTTP Server users are urged to exercise caution and apply
patches or upgrade unless they have specific instructions from the
provider of their web server. Statements from vendors can be obtained from
the US-CERT vulnerability note for this issue at:

     http://www.kb.cert.org/vuls/id/395412

The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for
the responsible reporting of this vulnerability.

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.3 is available for download from:

     http://httpd.apache.org/download.cgi

Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features introduced
since 2.0 please see:

     http://httpd.apache.org/docs/2.2/new_features_2_2.html

Please see the CHANGES_2.2 file, linked from the download page, for a full
list of changes.

Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available
with this security fix. See the appropriate CHANGES from the url above.
The Apache HTTP Project developers strongly encourage all users to
migrate to Apache 2.2, as only limited maintenance is performed on these
legacy versions.

This release includes the Apache Portable Runtime (APR) version 1.2.7
bundled with the tar and zip distributions. The APR libraries libapr,
libaprutil, and (on Win32) libapriconv must all be updated to ensure
binary compatibility and address many known platform bugs.

This release builds on and extends the Apache 2.0 API. Modules written for
Apache 2.0 will need to be recompiled in order to run with Apache 2.2, but
no substantial reworking should be necessary.

     http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs, you must
ensure that any modules you will be using (and the libraries they depend
on) are thread-safe.

Re: [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released

Posted by Steffen <in...@apachelounge.com>.

On httpd.apache.org is at 2.059:
The Apache HTTP Server Project is *proud* to announce the legacy...

At 1.3.37
The Apache Group is *pleased* to announce the legacy...

Is the project is still proud to announce 2.0.x ?

Steffen

----- Original Message ----- 
From: "William A. Rowe, Jr." <wr...@rowe-clan.net>
To: <de...@httpd.apache.org>
Cc: <bu...@securityfocus.com>; <fu...@lists.grok.org.uk>
Sent: Thursday, August 03, 2006 11:58
Subject: Re: [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) 
Released


> Philip M. Gollucci wrote:
>> William A. Rowe, Jr. wrote:
>>>                     Apache HTTP Server 2.2.3 Released
> ...
>>>    CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
>>>    mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 
>>> 2.0.46,
>>>    and 2.2 since 2.2.0.
>> Is a release in the 2.0.x (2.0.59) soon to follow ?
>
> If you continued reading a few para's down...
>
>> Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available
>> with this security fix. See the appropriate CHANGES from the url above.
>> The Apache HTTP Project developers strongly encourage all users to
>> migrate to Apache 2.2, as only limited maintenance is performed on these
>> legacy versions.
>
> We don't expect to be publishing simultaneous spam for the old flavors 
> every
> time we release the main version; essentially it propagates the idea that 
> the
> 1.3 / 2.0 branches are actively developed and maintained.  We will likely 
> fix
> security flaws as they come up, but most of the time a single announcement
> suffices.  (Oh, and check out the subject line too :)
>
> Bill
>

Re: [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

Philip M. Gollucci wrote:
> William A. Rowe, Jr. wrote:
>>                     Apache HTTP Server 2.2.3 Released
...
>>    CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
>>    mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
>>    and 2.2 since 2.2.0.
> Is a release in the 2.0.x (2.0.59) soon to follow ?

If you continued reading a few para's down...

> Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available
> with this security fix. See the appropriate CHANGES from the url above.
> The Apache HTTP Project developers strongly encourage all users to
> migrate to Apache 2.2, as only limited maintenance is performed on these
> legacy versions.

We don't expect to be publishing simultaneous spam for the old flavors every
time we release the main version; essentially it propagates the idea that the
1.3 / 2.0 branches are actively developed and maintained.  We will likely fix
security flaws as they come up, but most of the time a single announcement
suffices.  (Oh, and check out the subject line too :)

Bill

Re: [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

Philip M. Gollucci wrote:
> Steve VanDevender wrote:
>> Philip M. Gollucci writes:
>>  > William A. Rowe, Jr. wrote:
>>  > >                     Apache HTTP Server 2.2.3 Released
>>  > >  > > The Apache Software Foundation and The Apache HTTP Server
>> Project are
>>  > > pleased to announce the release of version 2.2.3 of the Apache
>> HTTP Server
>>  > > ("Apache").
>>  > >  > > This version of Apache is principally a bug and security fix
>> release. The
>>  > > following potential security flaws are addressed;
>>  > >  > >    CVE-2006-3747: An off-by-one flaw exists in the Rewrite
>> module,
>>  > >    mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0
>> since 2.0.46,
>>  > >    and 2.2 since 2.2.0.
>>  > Is a release in the 2.0.x (2.0.59) soon to follow ?
>>
>> Both 2.0.59 and 1.3.37 have been out for at least a couple of days now,
>> both including the mod_rewrite fix.
> Where did the annoucement go ?
> I'm on pretty much *@*.apache.org
> 
> did I miss and delete them by accident ?

We do *not* email three announcement messages anymore.  See the body of
the message which indicates 2.0.59 and 1.3.37 were released as well.
(I thought I just answered that question for you?)

This *one announcement message* was sent (as your reply-all indicated)
to bugtraq, full-disclosure, dev@httpd, announce@httpd, and announce@a.o.

Re: [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released

Posted by "Philip M. Gollucci" <pg...@p6m7g8.com>.

Steve VanDevender wrote:
> Philip M. Gollucci writes:
>  > William A. Rowe, Jr. wrote:
>  > >                     Apache HTTP Server 2.2.3 Released
>  > > 
>  > > The Apache Software Foundation and The Apache HTTP Server Project are
>  > > pleased to announce the release of version 2.2.3 of the Apache HTTP Server
>  > > ("Apache").
>  > > 
>  > > This version of Apache is principally a bug and security fix release. The
>  > > following potential security flaws are addressed;
>  > > 
>  > >    CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
>  > >    mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
>  > >    and 2.2 since 2.2.0.
>  > Is a release in the 2.0.x (2.0.59) soon to follow ?
> 
> Both 2.0.59 and 1.3.37 have been out for at least a couple of days now,
> both including the mod_rewrite fix.
Where did the annoucement go ?
I'm on pretty much *@*.apache.org

did I miss and delete them by accident ?





-- 
------------------------------------------------------------------------
Philip M. Gollucci (pgollucci@p6m7g8.com) 323.219.4708
Consultant / http://p6m7g8.net/Resume/resume.shtml
Senior Software Engineer - TicketMaster - http://ticketmaster.com
1024D/A79997FA F357 0FDD 2301 6296 690F  6A47 D55A 7172 A799 97F

"It takes a minute to have a crush on someone, an hour to like someone,
and a day to love someone, but it takes a lifetime to forget someone..."

Re: [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released

Posted by "Philip M. Gollucci" <pg...@p6m7g8.com>.

William A. Rowe, Jr. wrote:
>                     Apache HTTP Server 2.2.3 Released
> 
> The Apache Software Foundation and The Apache HTTP Server Project are
> pleased to announce the release of version 2.2.3 of the Apache HTTP Server
> ("Apache").
> 
> This version of Apache is principally a bug and security fix release. The
> following potential security flaws are addressed;
> 
>    CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
>    mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
>    and 2.2 since 2.2.0.
Is a release in the 2.0.x (2.0.59) soon to follow ?


-- 
------------------------------------------------------------------------
Philip M. Gollucci (pgollucci@p6m7g8.com) 323.219.4708
Consultant / http://p6m7g8.net/Resume/resume.shtml
Senior Software Engineer - TicketMaster - http://ticketmaster.com
1024D/A79997FA F357 0FDD 2301 6296 690F  6A47 D55A 7172 A799 97F

"In all that I've done wrong I know I must have done something right to
deserve a hug every morning and butterfly kisses at night."