dcsimg
 

Covalent Releases Information on Apache 2.0 Vulnerability

by ServerWatch Staff

On August 9, 2002, the Apache Software Foundation issued a security advisory for non-Unix versions of Apache 2.0. Covalent identified the versions of its products that are affected by this advisory.

On August 9, 2002, the Apache Software Foundation issued a security advisory for non-Unix versions of Apache 2.0. Covalent announced that customers running any version of its following products are affected by this advisory.

Covalent Enterprise Ready Server 2.0-2.1.1 for Windows platforms (Windows 2000, Windows NT 4, Windows XP).

Covalent Fast Start Server 3.0-3.1.1 for Windows platforms.

According to the company, the vulnerability does not affect any Fast Start versions previous to 3.x, and does not affect any UNIX/LINUX platforms.

Identifiers: CAN-2002-0661
Additional information: httpd.apache.org
Affects: All Released versions of 2.0 through 2.0.39
Fixed in: 2.0.40

The security vulnerability that was reported to and verified by the Apache Software Foundation allows an attacker to potentially inflict serious damage on a server, and reveal sensitive information. Covalent strongly recommends that all affected customers apply the solution to their Covalent Apache servers as soon as possible. A simple one-line addition to the Apache configuration file, httpsd.conf, closes the vulnerability.

Prior to the first 'Alias' or 'Redirect' directive, add the following directive to the global server configuration:

RedirectMatch 400 "\\\.\."

Fixes for this vulnerability are also included in Apache HTTP server version 2.0.40. The 2.0.40 release also contains fixes for two minor path-revealing exposures. This release of Apache is available at http://www.apache.org/dist/httpd/

More information will be made available by the Apache Software Foundation and Auriemma Luigi in the coming weeks.

This article was originally published on Monday Aug 12th 2002
Home
Mobile Site | Full Site