14 DAY TRIAL // The Apache Project has released version 2.2.18 of its hugely popular web server software package in order to address a vulnerability that could lead to a denial of service condition.
The flaw, identified as CVE-2011-0419 in the Common Vulnerabilities and Exposures database, is located in the apr_fnmatch() function of the Apache Portable Runtime.
The vulnerability can be exploited remotely by sending specially crafted requests to Apache web servers configured with mod_autoindex enabled.
"Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a carefully crafted request may cause excessive CPU usage," is explained in the release notes.
The Apache developers credit Maksymilian Arciemowicz for reporting the vulnerability and advise all users to upgrade to the new version as soon as possible.
"We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade," they write.
However, those who, for various reasons, cannot upgrade to the patched version, can mitigate the risks of the vulnerability by setting the 'IgnoreClient' option of the 'IndexOptions' directive.
Because the flaw is actually located in the Apache Portable Runtime (APR), which is also used in other projects in addition to the Apache HTTP Server, third-party developers are also advised to upgrade the runtime to version 1.4.4 in their applications.
Apache HTTP Server 2.2.18 also contains a significant number of other bug fixes and enhancements. One of them involved changing the default hashing algorithm used by htpasswd from crypt() to MD5. "Crypt with its 8 character limit is not useful anymore," the developers explain.
The Apache HTTP Server is the most widely used web server software and has played an important role in the growth of the World Wide Web. In is an open source project developed by the Apache Software Foundation and is available for a large number of operating systems.