Sander Striker | 15 Sep 20:50 2004
Picon

Apache HTTP Server 2.0.51 Released


The Apache Software Foundation and the  The Apache HTTP Server Project
are pleased to announce the release of version 2.0.51 of the Apache
HTTP Server ("Apache").  This Announcement notes the significant
changes in 2.0.51 as compared to 2.0.50.

This version of Apache is principally a bug fix release.  Of
particular note is that 2.0.51 addresses five security
vulnerabilities:

  An input validation issue in IPv6 literal address parsing which
  can result in a negative length parameter being passed to memcpy.
  [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786]

  A buffer overflow in configuration file parsing could allow a
  local user to gain the privileges of a httpd child if the server
  can be forced to parse a carefully crafted .htaccess file.
  [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747]

  A segfault in mod_ssl which can be triggered by a malicious
  remote server, if proxying to SSL servers has been configured.
  [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751]

  A potential infinite loop in mod_ssl which could be triggered
  given particular timing of a connection abort.
  [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748]

  A segfault in mod_dav_fs which can be remotely triggered by an
  indirect lock refresh request.
  [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809]
(Continue reading)

William A. Rowe, Jr. | 28 Sep 22:55 2004
Picon

Apache HTTP Server 2.0.52 Released


                   Apache HTTP Server 2.0.52 Released

   The Apache Software Foundation and the  The Apache HTTP Server Project are
   pleased to announce the release of version 2.0.52 of the Apache HTTP
   Server ("Apache").  This Announcement notes the significant changes
   in 2.0.52 as compared to 2.0.51. The Announcement is also available in
   German and Japanese from:

        http://www.apache.org/dist/httpd/Announcement2.txt.de
        http://www.apache.org/dist/httpd/Announcement2.txt.ja

   This version of Apache is principally a bug fix release.  Of
   particular note is that 2.0.52 addresses one new security related
   flaw introduced in 2.0.51:

     Fix merging of the Satisfy directive, which was applied to
     the surrounding context and could allow access despite configured
     authentication.
     [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0811]

   The Apache HTTP Server Project would like to thank Rici Lake for
   identification and a proposed fix of this flaw.

   This release is compatible with modules compiled for 2.0.42 and
   later versions.  We consider this release to be the best version of
   Apache available and encourage users of all prior versions to
   upgrade.

   Apache HTTP Server 2.0.52 is available for download from
(Continue reading)


Gmane