Apache -2.0.46 is the best available version

The Apache HTTP Server Project is proud to announce the -ninth public release of Apache 2.0.

This version of Apache is principally a security and bug fix release. - Of particular note is that 2.0.46 addresses two security + Of particular note is that 2.0.47 addresses four security vulnerabilities:

Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in - certain circumstances. This can be triggered remotely through mod_dav - and possibly other mechanisms. The crash was originally reported by - David Endler <DEndler@iDefense.com> and was researched and fixed by - Joe Orton <jorton@redhat.com>. Specific details and an analysis of the - crash will be published Friday, May 30. No more specific information - is disclosed at this time, but all Apache 2.0 users are encouraged to - upgrade now.
- [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]

Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were - vulnerable to a denial-of-service attack on the basic authentication - module, which was reported by John Hughes <john.hughes@entegrity.com>. - A bug in the configuration scripts caused the apr_password_validate() - function to be thread-unsafe on platforms with crypt_r(), including - AIX and Linux. All versions of Apache 2.0 have this thread-safety - problem on platforms with no crypt_r() and no thread-safe crypt(), - such as Mac OS X and possibly others. When using a threaded MPM (which - is not the default on these platforms), this allows remote attackers - to create a denial of service which causes valid usernames and - passwords for Basic Authentication to fail until Apache is restarted. - We do not believe this bug could allow unauthorized users to gain - access to protected resources.
- [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]

Certain sequences of per-directory renegotiations and the SSLCipherSuite + directive being used to upgrade from a weak ciphersuite to a strong one + could result in the weak ciphersuite being used in place of the strong + one.
+ [CAN-2003-0192]

Certain errors returned by accept() on rarely accessed ports could cause + temporal denial of service, due to a bug in the prefork MPM.
+ [CAN-2003-0253]

Denial of service was caused when target host is IPv6 but ftp proxy + server can't create IPv6 socket.
+ [CAN-2003-0254]

The server would crash when going into an infinite loop due to too many + subsequent internal redirects and nested subrequests.
+ [VU#379828]

Download | 1.25 +13 -22 httpd-site/xdocs/download.xml Index: download.xml =================================================================== RCS file: /home/cvs/httpd-site/xdocs/download.xml,v retrieving revision 1.24 retrieving revision 1.25 diff -u -r1.24 -r1.25 --- download.xml 30 May 2003 21:15:38 -0000 1.24 +++ download.xml 9 Jul 2003 11:11:34 -0000 1.25 @@ -52,13 +52,15 @@

Apache -2.0.46 is the best available version +2.0.47 is the best available version

This release fixes security problems described in - - CAN-2003-0245 and - - CAN-2003-0189. It also contains bug fixes and some new features. + + CAN-2003-0192, + + CAN-2003-0253 and + + CAN-2003-0253. It also contains bug fixes and some new features. For details see the Official Announcement and the

Unix Source: -httpd-2.0.46.tar.gz -[PGP] -[MD5]

+httpd-2.0.47.tar.gz +[PGP] +[MD5]

Unix Source: -httpd-2.0.46.tar.Z -[PGP] -[MD5]

- -

Win32 Source: -httpd-2.0.46-win32-src.zip -[PGP] -[MD5]

- -

Win32 Binary (MSI Installer): -apache_2.0.46-win32-x86-no_src.msi -[PGP] -[MD5]

+httpd-2.0.47.tar.Z +[PGP] +[MD5]

Other files

1.44 +22 -29 httpd-site/xdocs/index.xml Index: index.xml =================================================================== RCS file: /home/cvs/httpd-site/xdocs/index.xml,v retrieving revision 1.43 retrieving revision 1.44 diff -u -r1.43 -r1.44 --- index.xml 15 Jun 2003 19:15:49 -0000 1.43 +++ index.xml 9 Jul 2003 11:11:34 -0000 1.44 @@ -15,7 +15,7 @@ with the current HTTP standards.

Apache has been the most popular web server on the Internet since -April of 1996. The June 2003 Netcraft Web Server Survey found that 63% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.

@@ -37,41 +37,34 @@ your downloads using PGP or MD5 signatures!

-Apache 2.0.46 Released +

+Apache 2.0.47 Released

The Apache HTTP Server Project is proud to announce the -ninth public release of Apache 2.0.

+tenth public release of Apache 2.0.

- -

+ +

Certain errors returned by accept() on rarely accessed ports could cause + temporal denial of service, due to a bug in the prefork MPM.
+ [CAN-2003-0253]

+ +

Denial of service was caused when target host is IPv6 but ftp proxy + server can't create IPv6 socket.
+ [CAN-2003-0254]

+ +

The server would crash when going into an infinite loop due to too many + subsequent internal redirects and nested subrequests.
+ [VU#379828]

For further details, see the announcement.