Apache Server Bugs Fixed

Wednesday, August 22, 2012 @ 01:08 PM gHale


The Apache Software Foundation released version 2.4.3 of the Apache HTTP Server, fixing over fifty bugs and closing two security holes.

The two vulnerabilities are present in the mod_proxy_aip, mod_proxy_http and mod_negotiation modules.

RELATED STORIES
Apache Security Fix Details
Apache Traffic Server Security Patch
Oracle Flaw PoC Releases by Mistake
A+ Discovery: Student Finds Zero Day

The two gaps are CVE-2012-3502 and CVE-2012-2687, but there is little information available on the actual problems. The first bug happens with mod_proxy_sjp and mod_proxy_http in the backend when a connection is closing which “could lead to privacy issues due to a response mixup.”

The second problem, in mod_negotiation, concerns a possible XSS (cross-site scripting) where untrusted users are uploading files. The issue ends up fixed by escaping file names.

The updated version of the HTTP Server is available to download from the project’s download page. Details of all the changes made in 2.4.3 are in the change log. Among those errors is a fix for an SSL issue which affects the HTTP Server when run on Windows since version 2.4.2.



Leave a Reply

You must be logged in to post a comment.