Security News > 2003 > July > DoS Holes Plugged in Apache HTTP Server
Forwarded from: "eric wolbrom, CISSP" http://www.internetnews.com/dev-news/article.php/2232981 July 9, 2003 By Ryan Naraine The Apache Software Foundation on Monday released a new version of its open-source Web server project to plug four potentially serious security holes. The latest update to the Apache 2.0 HTTP Server (version 2.0.47) is described as a security and bug fix release to plug holes that could lead to denial-of-service attacks. The Foundation warned that the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. The previous Apache HTTP Server version also contains a bug in the prefork MPM where certain errors returned by accept() on rarely accessed ports could cause temporal DoS. Another DoS security vulnerability, caused when target host is IPv6, was also patched. Apache explained that ftp proxy server can't create IPv6 socket. The Apache Foundation also warned older versions of the server would crash when going into an infinite loop because of too many subsequent internal redirects and nested subrequests. The Apache 2.0 HTTP Server project, which is developed and maintained by volunteers, dominates the Web server market. At the end of June, Netcraft statistics found the Apache server commanding a 67 percent share (29 million sites) of the market, well ahead of competing products from Microsoft and Sun Microsystems. _______________________________________________________________________ eric wolbrom, CISSP Safe Harbor Technologies President & CIO 66 Garlen Road Voice 914.767.9090 Katonah, NY 10536 Fax 914.767.3911 http://www.shtech.net _______________________________________________________________________ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.