For the second time in as many months, the Apache Software
Foundation has released a security-driven update of its popular
open-source web server software.The latest version of Apache, 2.0.46 was
described as "principally a security and bug fix release" in a
bulletin released by the open-source organisation.
Among those fixes is a patch for a security
hole in the mod_dav module that could be exploited remotely,
causing an Apache web server process to crash.
Mod_dav is an open-source module that provides
WebDAV (World Wide Web Distributed Authoring and Versioning)
protocol support for the Apache Web server.
WebDAV is a set of extensions to HTTP
(Hypertext Transfer Protocol) which allows users to edit and manage
files on remote web servers. The protocol is designed to create
interoperable, collaborative applications that facilitate
geographically dispersed "virtual" software development teams.
Few details were available regarding the
mod_dav vulnerability, which was first discovered and reported to
the Foundation by a researcher at security firm iDefense.
In March, Microsoft released a patch for a
security hole in a core Windows component used to handle an
unchecked buffer in a Windows 2000 component used to handle the
WebDAV protocol.
That flaw, which has already been exploited by
hackers, could enable an attacker to cause a buffer overflow on the
machine running Internet Information Server, according to Microsoft
Security bulletin MS03-007.
A second fix is for a denial-of-service
vulnerability affecting Apache's authentication module.
By exploiting a bug in configuration scripts
used by a function for password validation, attackers could launch
remote denial-of-service attacks that would cause valid user names
and passwords to be rejected, the bulletin said.
The vulnerabilities affect versions of Apache
ranging from 2.0.37 up to the most recent release, 2.0.45, which
came out in April.
That latest version was also released in
response to a previously unknown critical security flaw which, like
the mod_dav vulnerability, was discovered by iDefense.
As with its last software update, the Apache
Software Foundation said that 2.0.46 was the "best version of
Apache available" and recommended that users of previous Apache
versions should upgrade.
Paul Roberts writes for IDG News Service