In association with heise online

28 July 2006, 13:05

New versions of Apache web server close security hole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of Apache have released new versions of their web server software, to close a security hole that allows attackers, under certain circumstances, to plant arbitrary code.

The vulnerability is located in the mod_rewrite module and appears in the form of rules that attackers can use to influence the start of URLs (such as where the URL is rewritten beginning with $1), and where the flags Forbidden (F), Gone (G), or NoEscape (NE) are not set. Through what is known as an off-by-one flaw, a 1-byte buffer overrun can be created through which smuggled code could be executed.

All branches of Apache development are affected. The new versions that correct the flaw are 1.3.37, 2.0.59 and 2.2.3. Users who do their own compilations should build and install the new version immediately. Linux distributors are likely very soon to provide updated packages.

Please see also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit