Security Release: Apache 1.1.3

Note: Apache 1.1.2 was up for a little while, but the fixes we provided were found to have other problems, which 1.1.3 now fixes. - 13/01/1997

Two security concerns have been brought to our attention in the last couple of days regarding the code in Apache 1.1.1:

  1. A hole in mod_cookies which allows outside users to scribble the memory stack, possibly allowing the user to gain shell access to the server as the user the httpd children run as. Thanks to *Secure Networks for advising us of this hole ahead of time and providing a patch for the problems.
  2. A hole in mod_dir which causes long URL's of a particular pattern to cause a "not found" error when looking for an index.html in a directory, and thus returning a complete list of the directory content. Thanks to members of the BUGTRAQ mailing list for finding this.
We have addressed the problems by making available a fix in a number of forms.

If you are running a beta of Apache 1.2: The bug related to cookies is not in any beta of Apache 1.2. The bug related to directory indexing is being fixed for the next beta release of 1.2.

If you are running Apache 1.1.1, you must do one of the following:

  1. Download a copy of *Apache 1.1.3, compile and install it.
  2. Apply the two recently released patches, *mod_cookies_security.patch and *directoryindex_security.patch to a 1.1.1 installation in the "src" directory, and recompile.
  3. Discontinue use of the cookie module and turn the "Indexing" option off.
  4. Upgrade to a beta of 1.2.
If you are running a version of Apache older than 1.1.1: Please upgrade to Apache 1.1.3 immediately.

More information: