Apache Software Foundation and Apache HTTP Server Project have announced the release of version 2.2.22 of the Apache HTTP Server ("Apache"). Apache HTTP Project considers this release to be the best version of Apache available and encourage all current users of previous versions to upgrade immediately.
According to records, the major release version of Apache is security and bug fixes, including a significant security improvements following:
* SECURITY: CVE-2011-3368 (cve.mitre.org): Reject the request if the request-URI (uniform resource identifier) is not in accordance with the HTTP specification, to prevent an unexpected expansion in the target URL (Uniform Resource Locator) in a reverse proxy configuration .
* SECURITY: CVE-2011-3607 (cve.mitre.org): Fix integer overflow in ap_pregsub (), which when activated mod_setenvif module, may allow local users to get right through. Htaccess file.
* SECURITY: CVE-2011-4317 (cve.mitre.org): Complete the additional cases "rewrite" the URL RewriteRule ProxyPassMatch or where the request-specific URIs may result in exposure to unwanted backend network in some configurations.
* SECURITY: CVE-2012-0021 (cve.mitre.org): mod_log_config: to fix segfault (crash) when the log format string '% {cookiename} C' is being used and the client sends a nameless, valueless cookies, which can cause denial of service (DOS: Denial of Service). This problem existed since version 2.2.17.
* SECURITY: CVE-2012-0031 (cve.mitre.org): Fix the problem of "scoreboard" (scoreboard issue) that could allow an unprivileged process (unprivileged child process) that could cause crashes when doing a shutdown.
* SECURITY: CVE-2012-0053 (cve.mitre.org): Addressing the issue in response to errors that could expose cookies "httpOnly" when no custom ErrorDocument specified for status code 400.
Apache HTTP project can be realized thanks to halfdog, Context Information Security Ltd, Prutha Parikh of Qualys, and Norman Hippert to bring this issue to the attention of the security team.
This release includes the Apache Portable Runtime (APR) version 1.4.5 and the APR Utility Library (April-util) version 1.4.2, bundled with the distribution of RAR and ZIP. The APR libraries libapr and libaprutil (on Win32, libapriconv version 1.2.1) should all be updated to ensure binary compatibility and address security and bug known to many platforms.
When upgrading or installing a version of Apache, please keep in mind that if you intend to use Apache with one of the threaded MPMs (other than prefork MPM), you must ensure that any modules you will use and safe use of libraries (thread-safe).
(Source: Beritanet.com, 2012)
0 komentar:
Post a Comment