Security Holes Uncovered in Apache, OpenSSL | eWeek

Security Holes Uncovered in Apache, OpenSSL

Verfasst von
Larry Seltzer
Larry Seltzer
Mar 19, 2004
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Security researchers on Friday uncovered a vulnerability in the open-source Apache Web server software that could easily enable a denial of services attack. The discovery follows on the heels of three holes found in the popular OpenSSL security software Wednesday.

The Apache problem is one of several reported in Version 2.0.48, and lets an attacker open a short-lived connection on a particular, rarely accessed listening socket. The software will block out all other connections until another connection comes in on the same socket. Reports differed on exactly which platforms and versions were affected by this problem, but not all are affected.

On late Friday, The Apache Software Foundation announced an update to its HTTP Server software that fixed the problem as well as several others. Version 2.0.49 is available for download from the Apache HTTP Server Project Web site.

Meanwhile, three security vulnerabilities in the popular OpenSSL software, used to provide secure, encrypted communications to open-source applications and distributions, were discovered Wednesday. The flaws could allow an attacker to make HTTPS (secure HTTP) services unavailable on a Web server, and to crash applications using OpenSSL.

The first OpenSSL issue results from a “null pointer assignment” in the software. Attackers can craft special, malicious data to send during a handshake exchange that invoke the problem and cause the software to crash. Affected versions range from 0.9.6c through 0.9.6k, and 0.9.7a through 0.9.7c. The current version is 0.9.7d, available at the OpenSSL Project source code download page.

/zimages/1/28571.gifFollowing the recent theft and release of Microsofts Windows source code, Security Center Editor Larry Seltzer wondered whether open-source software is theoretically more secure than programs developed in a “closed” environment.Click hereto read more.

The second problem, like the first, involves the same handshake, but appears only when Kerberos ciphersuites are in use. The OpenSSL advisory on this problem, however, states that most applications dont have the ability to use Kerberos ciphersuites. Versions 0.9.7a, 0.9.7b and 0.9.7c are affected by this vulnerability.

The third, much older security issue involves an infinite loop that can be invoked by attackers. It affected Version 0.9.6 and was fixed in 0.9.6d.

/zimages/1/28571.gifCheck outeWEEK.coms Security Centerat http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:/zimages/1/19420.gifhttp://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.