Apache HTTP Server update fixes remote DoS issue - Update

The Apache HTTP Server developers have released version 2.2.18 of the eponymous web server as a bug fix and security fix release. The security fix is needed because of a vulnerability to a Denial of Service (DoS) attack; the vulnerability is rated as moderate.

A bug in Apache Portable Runtime's (APR) apr_fnmatch() function could be provoked into triggering recursive string matching and thus causing excessive CPU usage and exhausting memory. Systems which have mod_autoindex enabled and are indexing directories with sufficiently long file names are vulnerable to the issue. Users unable to upgrade can set the "IgnoreClient" option in the "IndexOptions" directive which will disable the processing of client supplied arguments and prevent this attack.

The new version of Apache server now ships with version 1.4.4 of APR in which the bug is fixed. Other fixes are detailed in the CHANGES file and include corrections to timeout handling and changing the default password algorithm for htpasswd to MD5. Linux distributions such as Red Hat have release packages to fix the DoS issue. Source code for the update is available to download.

Update: The Apache Portable Runtime provides a software library which gives a predictable and consistent interface to many operating systems. Because of this, APR is also used by Apache projects and non-Apache applications. This means that the flaw in apr_fnmatch() may be exposed and exploitable in those other projects and applications. Developers using APR should upgrade to APR 1.4.4 to correct the problem.

(djwm)