Apache irons out bugs in HTTP server; 2.0 gaining momentum

The Apache Foundation has released an update to the Apache HTTP Server, fixing five security vulnerabilities along the way

The release this week of version 2.0.51 of the Apache HTTP Server includes significant changes compared to 2.0.50, according to the foundation.

The release addresses:

  • An input validation issue in IPv6 literal address parsing, which can result in a negative length parameter being passed to memory.

  • A buffer overflow in configuration file parsing could allow a local user to gain the privileges of a httpd child if the server can be forced to parse a carefully crafted .htaccess file.

  • A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured.

  • A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort.

  • A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh request.

This release is compatible with modules compiled for 2.0.42 and later versions.

There have been 14 releases of the 2.0 line since it was made generally available on April 5, 2002 (which was the release date of 2.0.35). According to Apache contributor Sander Striker this is a fairly low number for an open source project.

"There are many different types of security issues and most of the ones in 2.0 are temporary denial of service exploits, not exploitable in the default configuration, and/or not remotely exploitable and are therefore not very dangerous overall. Some notable exceptions aside," he said.

2.0 uptake steady

According to Striker there has been much effort put into making upgrading along the 2.0 series simple, and to allow people to easily take advantage of security/bug fixes. For example, third-party modules compiled for 2.0.42 will still be binary compatible with 2.0.51.

The Apache HTTP Server keeps on gaining market share. "According to Netcraft and SecuritySpace we are now roughly at 68% [of the Web server market].

Although much of these figures is still 1.3, he said version 2.0 is certainly taking off. "Maybe not as fast as we would like, but that is, we believe, due to the fact that 1.3 does the job for most people. They don't have an incentive to switch."