'Apache 2.0 vulnerability affects non-Unix platforms'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-announce
Subject:    Apache 2.0 vulnerability affects non-Unix platforms
From:       Mark J Cox <mjc () apache ! org>
Date:       2002-08-09 17:54:08
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----

For Immediate Disclosure

=============== SUMMARY ================

        Title: Apache 2.0 vulnerability affects non-Unix platforms
         Date: 9th August 2002
      Version: 1
 Product Name: Apache web server 2.0
  OS/Platform: Windows, OS2, Netware
Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
  Vendor Name: Apache Software Foundation
   Vendor URL: http://www.apache.org/
      Affects: All Released versions of 2.0 through 2.0.39
     Fixed in: 2.0.40
  Identifiers: CAN-2002-0661

=============== BACKGROUND ================

Apache is a powerful, full-featured, efficient, and freely-available Web
server.  On the 7th August 2002, The Apache Software Foundation was
notified of the discovery of a significant vulnerability, identified by
Auriemma Luigi <bugtest@sitoverde.com>.

This vulnerability has the potential to allow an attacker to inflict
serious damage to a server, and reveal sensitive data.  This vulnerability
affects default installations of the Apache web server.

Unix and other variant platforms appear unaffected.  Cygwin users are
likely to be affected.

A simple one line workaround in the httpd.conf file will close the
vulnerability.  Prior to the first 'Alias' or 'Redirect' directive, add
the following directive to the global server configuration:

   RedirectMatch 400 "\\\.\."

Fixes for this vulnerability are also included in Apache version 2.0.40.
Apache 2.0.40 also contains some less serious security fixes.

More information will be made available by the Apache Software
Foundation and Auriemma Luigi <bugtest@sitoverde.com> in the
coming weeks.

=============== REFERENCES ================

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0661 to this issue.  

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQCVAwUBPVQBxu6tTP1JpWPZAQHCwAP9HVzSAMMrXadmRdPfEe9eFUKOxpQA4v8d
mKrLciDXnVpPlaKc7/1OHUcCwPu0IucHGUN5sF93Dw3X2BKoAjJFHnmS123r/CP6
WnHAaM+Hl17pPVxI3dXJXbiDvmpBB6b9SNCrsmf0RLykLHVZqoekOh2902Y7+Fts
NpKuwE7xzdA=
=mEuL
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic