httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject 1.1.2 plan
Date Sun, 12 Jan 1997 01:00:29 GMT

So, Randy will put together 1.1.2 with the two security fixes and upload them.  

1) I suggest he provide them as both a tarball and as two patches so that
people with hacked installations can add them.

2) I also suggest we recommend two non-code fixes:
   a) compile without mod_cookies to fix the mod_cookies problem
   b) Turn DirectoryIndexing off (index.html will still be returned for
requests like "GET / HTTP/1.0", yes?), which can be configured per-dir,if
people don't want to muck with patching code.

3) I don't think we need to remove the binary distributions, but we might want
to consider adding a note about the warning to the listing in the binaries

4) Once all that is done, we can send a message to c.i.w.s.u and ap-announce
(to ap-announce first, though).  I propose something like the following.
To-be-determined comments in []'s.


Two security problems have been noticed in the Apache 1.1.1 code base. The
first is in mod_cookies, which is *not* compiled in the distribution by
default.  This hole allows outside users to attempt to scribble the memory
stack used by Apache, which could lead to the granting of shell access to an
outside user of the user-ID the httpd children run as.  The second hole is in
the way Apache handles very long URLs comprised of nothing but '/' characters -
the effect being that contents of directories may be viewable even if an
"index.html" file exists (or whatever DirectoryIndex is set to).

For this reason we are releasing an Apache 1.1.2, which contains patches for
these two holes.  The patches are also attached to this message, in a form
suitable for feeding the "patch" program from the "src" directory in the Apache
1.1.1 distribution.  There is also a way to prevent the security holes by
turning off two features, as explained below. 

Apache 1.2 betas appear to not have the most serious of the two holes, and we
are fixing the second hole for the next beta, due within the next week[?].

We strongly recommend users of Apache 1.1.1 do one of the following:

  1) download a copy of 1.1.2 from, compile and
     install it.
  2) apply the patches below to their 1.1.1 installations
  3) discontinue use of the cookie module and turn "directoryindexing" off.
  4) upgrade to a beta of 1.2

On a similar note, we are holding the next beta of 1.2 while we work on a
general solution to memory stack scribbling.

*More details on the security holes*

The following URL's describe each security hole more clearly:

[To be added]

*How to use the attached patches*

Attached to this message are two patches.  Save them into your "src"
subdirectory of your Apache installation, and then do the following:

  patch < cookies.patch
  patch < longurls.patch

You should then have a new "httpd" executable.

*How to turn off the features*

With these changes you should not need to modify the 1.1.1 code.

  1) Recompile the server without mod_cookies.c.  If you're running the
     default set of modules, this is already left out.
  2) Turn off directory indexing by making sure none of your "Options"
     directives say either "Indexes" or "All".  


We would just like to conclude by saying that these holes have been discovered
not because Apache is necessarily more buggy than other servers, but because
source code is available to everyone, and thus it's easier to look for holes.
Very similar holes may exist in other commercial servers, but without source no
one outside the companies who own the code can know for sure, save for those
who are actively exploiting them.  

Thank you for using Apache.

Attached: cookies.patch, longurls.patch


View raw message