New Apache Version Fills Security Holes

Apache 2.0.45 solves two serious problems and quashes numerous smaller bugs.

The Apache Software Foundation and The Apache HTTP Server Project announced version 2.0.45yesterday.

Several low-profile features are introduced in the new version, along with several bug fixes, the two most important of which tackle security problems. The details on a denial-of-service vulnerability will not be revealed until April 7, apparently to give administrators time to apply the patch. The other security problem involved leaks of file descriptors to child processes, including CGI scripts, which could potentially compromise data on the server.

The OS/2 version does not fix the denial-of-service problem. It will be fixed in 2.0.46, and Apache authorities felt the release couldnt wait for fixing the OS/2 version. See the advisory for how to find and apply the patch manually.

The Foundation urges all users to upgrade to this version.