A new release of the popular Apache 2.0 Web server fixes a number of security vulnerabilities, according to the...
Apache Software Foundation (ASF).
Version 2.0.45 is intended "principally as a security and bug fix release", said the ASF. Among the flaws it patches is an as yet undisclosed flaw that could be used to launch a denial-of-service (DOS) attack against machines running Apache.
The security hole was discovered by David Endler, director of technical intelligence at security intelligence firm iDefense.
Details on the vulnerability discovered by Endler were not disclosed, but Apache 2.0 users were encouraged to upgrade.
Endler will publish a report on the vulnerability on 7 April.
Other, lower priority security leaks and bug fixes were also included in the 2.0.45 release.
However, a known DOS vulnerability that affects those systems running Apache on the OS/2 platform remains open. The latest Apache version was "too important" to delay release until the OS/2 fix could be included, the ASF said.
OS/2 users will have to wait for the release of 2.0.46 to get a fix for that problem.
The decision by the ASF and iDefense to withhold information on a major vulnerability for a week following the release of a patch contrast with previous revelations about security holes in the Apache software.
In August, security company PivX Solutions released information on a major vulnerability shortly after the ASF published a software patch to fix the problem.
Users of all previous versions of Apache were encouraged to update to the latest release.