AUSCERT External Security Bulletin Redistribution

        ESB-2002.551 -- The Apache Software Foundation Announcement
                          Apache 2.0.43 Released
                              09 October 2002


        AusCERT Security Bulletin Summary

Product:                Apache 2.0.x
Vendor:                 The Apache Software Foundation
Impact:                 Provide Misleading Information
                        Access Privileged Data
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

                          Apache 2.0.43 Released

   The Apache Software Foundation and The Apache Server Project are 
   pleased to announce the sixth public release of the Apache 2.0 
   HTTP Server.  This Announcement notes the significant changes in 
   2.0.43, as compared to 2.0.42.

   This version of Apache is principally a security and bug fix release. 
   A summary of the bug fixes is given at the end of this document.
   Of particular note is that 2.0.43 addresses and fixes two security

   CAN-2002-0840 (cve.mitre.org)[1]: Apache is susceptible to a cross site
   scripting vulnerability in the default 404 page of any web server hosted
   on a domain that allows wildcard DNS lookups.  We thank Matthew Murphy 
   for notification of this issue.

   Bug ID 13025[2]: Apache would serve script source code for POST requests 
   when the DAV On directive enabled mod_dav for a given resource.  We thank 
   Sander Holthaus for notification of this issue.

   We consider this release to be the best version of Apache available
   and encourage users of all prior versions to upgrade.

   Apache 2.0.43 is available for download from


   Please see the CHANGES_2.0 file in the same directory for a full list
   of changes.

   Binary distributions are available from


   The source and binary distributions are also available via any of the
   mirrors listed at


   Apache 2.0 offers numerous enhancements, improvements, and performance
   boosts over the 1.3 codebase.  The most visible and noteworthy addition
   is the ability to run Apache in a hybrid thread/process mode on any
   platform that supports both threads and processes.  This has been shown
   to improve the scalability of the Apache HTTP Server significantly in
   our testing.  Apache 2.0 also includes support for filtered I/O.  This
   allows modules to modify the output of other modules before it is
   sent to the client.  We have also included support for IPv6 on any
   platform that supports IPv6.

   For an overview of new features introduced after 1.3 please see


   This version of Apache is known to work on many versions of Unix, BeOS,
   OS/2, Windows, and Netware.  Because of the many advances in Apache
   2.0, it is expected to perform equally well on all supported platforms.
   Apache 2.0 has been running on the apache.org website since December
   of 2000 and has proven to be very reliable.

   When upgrading or installing this version of Apache, please keep 
   in mind the following:

   This release is binary-compatible only with 2.0.42, and no other previous 
   releases.  All modules must be recompiled in order to work with this 
   version.  For example, a module compiled to work with 2.0.40 will not 
   work with 2.0.43.

   This release does not include the new mod_logio, contrary to the 
   documentation in the CHANGES and manual included in this release.
   That module will be included in the next public release of Apache 2.0.
   We regret the confusion.

   Users of this release on Darwin 6.1 (including Mac OS X 10.2, a.k.a. 
   "Jaguar") must add --disable-ipv6 when invoking the ./configure script, 
   to avoid a potential security exposure related to IPv6 support on that 

   If you intend to use Apache with one of the threaded MPMs, you must
   ensure that the modules (and the libraries they depend on) that you
   will be using are thread-safe.  Please contact the vendors of
   these modules to obtain this information.

   IMPORTANT NOTE FOR APACHE USERS:   Apache 2.0 has been structured for 
   multiple operating systems from its inception, by introducing the 
   Apache Portability Library and MPM modules.  Users on non-Unix platforms 
   are strongly encouraged to move up to Apache 2.0 for better performance, 
   stability and security on their platforms.

   Apache is the most popular web server in the known universe; over half
   of the servers on the Internet are running Apache or one of its

                     Apache 2.0.43 Major changes

  Security vulnerabilities closed since Apache 2.0.42

     * Fixed the security vulnerability noted in CAN-2002-0840 (cve.mitre.org)
       regarding a cross-site scripting vulnerability in the default error
       page when using wildcard DNS.

     * Prevent POST requests for CGI scripts from serving the source code
       when DAV is enabled on the location.

  Bugs fixed since Apache 2.0.42

     * Fixed a core dump in mod_cache when it attemtped to store uncopyable
       buckets, such as a file containing SSI tags to execute a CGI script.

     * Ensured that output already available is flushed to the network
       to help some streaming CGIs and other dynamically-generated content.

     * Fixed a mutex problem in mod_ssl dbm session cache support.

     * Allow the UserDir directive to accept a list of directories, as in 1.3.

     * Changed SuExec to use the same default directory as the rest of the
       server, e.g. /usr/local/apache2.

     * Retry connections with mod_auth_ldap on LDAP_SERVER_DOWN errors.

     * Pass the WWW-Authenticate header on a 4xx responses from the proxy.

     * Fixed mod_cache's CacheMaxStreamingBuffer directive within virtual hosts.

     * Add -p option to apxs to allow programs to be compiled with apxs.


   [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840  
   [2] http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13025

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key