Newsletters

Select newsletters below and click the button to sign up!

Boston News NY News
DC News Internet Daily
SiliconValley News
InternetNews Business Report




Become a Marketplace Partner


Partner With Us


Internetnews Bloggers

Recent Entries

Archives

August 2009
Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

Monthly Archives

Search The Blog

Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT



Apache updates to 2.2.13 for security

By Sean Michael Kerner on August 10, 2009 2:03 PM
apache.gif
From the 'time to update Apache' files:

A new Apache HTTP server release is out, fixing at least 4 security issues in the popular open source web server. None of the fixed security issues look like show stoppers to me.

Only one of the listed security updates for Apache 2.2.13 actually has a CVE number attached to it (CVE-2009-2412). That issue fixes a potential overflow issue in  APR (Apache Portable Runtime).

The other issues fixed in 2.2.13 include improvements to the mod_ssl module to improve compatibility with OpenSSL 1.0.0. There is also a fix for mod_cgid, eliminating an empty argument when calling the CGI script (could potentially be a vulnerability).

Apache still maintains its older HTTP servers - the 2.x branch and the older 1.3.x branch - neither of which are affected by the new 2.2.13 update. The 1.3.41 and the 2.0.63 releases (the most recent for those branches) came out in January of 2008.
.

| Comments (1) | TrackBacks (0) | Share

0 TrackBacks

Listed below are links to blogs that reference this entry: Apache updates to 2.2.13 for security.

TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/8676

1 Comments

B. said:

I think you read the release dates for the previous lines of Apache httpd (1.3.41 and 2.0.61) wrong. Those came out in January of 2008, not 2009: http://httpd.apache.org/

In addition that CVE you dismissed is running with an across the board CVSS rating of 10.0, the highest rating given to vulnerabilities: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2412

Granted, there are as yet no known exploits for that CVE, but someone at NIST/NVD thinks this is a Big Deal, even if Secunia isn't as impressed.

August 11, 2009 12:18 PM

Leave a comment