www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark J Cox <...@apache.org>
Subject Apache 2.0 vulnerability affects non-Unix platforms
Date Fri, 09 Aug 2002 17:54:08 GMT

For Immediate Disclosure

=============== SUMMARY ================

        Title: Apache 2.0 vulnerability affects non-Unix platforms
         Date: 9th August 2002
      Version: 1
 Product Name: Apache web server 2.0
  OS/Platform: Windows, OS2, Netware
Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
  Vendor Name: Apache Software Foundation
   Vendor URL: http://www.apache.org/
      Affects: All Released versions of 2.0 through 2.0.39
     Fixed in: 2.0.40
  Identifiers: CAN-2002-0661

=============== BACKGROUND ================

Apache is a powerful, full-featured, efficient, and freely-available Web
server.  On the 7th August 2002, The Apache Software Foundation was
notified of the discovery of a significant vulnerability, identified by
Auriemma Luigi <bugtest@sitoverde.com>.

This vulnerability has the potential to allow an attacker to inflict
serious damage to a server, and reveal sensitive data.  This vulnerability
affects default installations of the Apache web server.

Unix and other variant platforms appear unaffected.  Cygwin users are
likely to be affected.

A simple one line workaround in the httpd.conf file will close the
vulnerability.  Prior to the first 'Alias' or 'Redirect' directive, add
the following directive to the global server configuration:

   RedirectMatch 400 "\\\.\."

Fixes for this vulnerability are also included in Apache version 2.0.40.
Apache 2.0.40 also contains some less serious security fixes.

More information will be made available by the Apache Software
Foundation and Auriemma Luigi <bugtest@sitoverde.com> in the
coming weeks.

=============== REFERENCES ================

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0661 to this issue.  


Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


View raw message