Security Holes Uncovered in Apache, OpenSSL
Recently uncovered vulnerabilities in OpenSSL and Apache create the potential for attackers to tie up Web services, crash OpenSSL applications.Security researchers on Friday uncovered a vulnerability in the open-source Apache Web server software that could easily enable a denial of services attack. The discovery follows on the heels of three holes found in the popular OpenSSL security software Wednesday. The Apache problem is one of several reported in Version 2.0.48, and lets an attacker open a short-lived connection on a particular, rarely accessed listening socket. The software will block out all other connections until another connection comes in on the same socket. Reports differed on exactly which platforms and versions were affected by this problem, but not all are affected. On late Friday, The Apache Software Foundation announced an update to its HTTP Server software that fixed the problem as well as several others. Version 2.0.49 is available for download from the Apache HTTP Server Project Web site.
Meanwhile, three security vulnerabilities in the popular OpenSSL software, used to provide secure, encrypted communications to open-source applications and distributions, were discovered Wednesday. The flaws could allow an attacker to make HTTPS (secure HTTP) services unavailable on a Web server, and to crash applications using OpenSSL.