Security Release: Apache 1.1.3
Note: Apache 1.1.2 was up for a little while, but the fixes we
provided were found to have other problems, which 1.1.3 now fixes. -
Two security concerns have been brought to our attention in the last
couple of days regarding the code in Apache 1.1.1:
We have addressed the problems by making available a fix in a number of forms.
- A hole in mod_cookies which allows outside users to scribble the
memory stack, possibly allowing the user to gain shell access to the
server as the user the httpd children run as. Thanks to *Secure
Networks for advising us of this hole ahead of time and providing
a patch for the problems.
- A hole in mod_dir which causes long URL's of a particular
pattern to cause a "not found" error when looking for an index.html in
a directory, and thus returning a complete list of the directory
content. Thanks to members of the BUGTRAQ mailing list for finding this.
If you are running a beta of Apache 1.2:
The bug related to cookies is not in any beta of Apache 1.2. The bug related to
directory indexing is being fixed for the next beta release of 1.2.
If you are running Apache 1.1.1, you must do one of the following:
If you are running a version of Apache older than 1.1.1:
Please upgrade to Apache 1.1.3 immediately.
- Download a copy of *Apache 1.1.3, compile and
- Apply the two recently released patches, *mod_cookies_security.patch
and *directoryindex_security.patch to a 1.1.1 installation in the "src" directory, and recompile.
- Discontinue use of the cookie
module and turn the "Indexing"
- Upgrade to a beta of 1.2.