The Apache Software Foundation has fixed two vulnerabilities in its ubiquitous Web server, including a cross-site scripting bug that could enable an attacker to upload files to a remote server. The new version of the Apache HTTP Server also includes updates that resolve dozens of other, non-security related bugs.
The 2.4 branch of the Apache Web server is the newest one and has a slew of new features and updates that aren’t included in the 2.2 branch. This latest release, version 2.4.3, contains two significant security updates and also includes a fix for a known issue with Apache running on Windows that would cause SSL connections to fail.
The two security bugs fixed in Apache 2.4.3 include the potential XSS vulnerability, as well as a problem with the closing of some back-end connections that could result in a privacy problem. Here is the security content of the 2.4.3 release:
- SECURITY: CVE-2012-3502 (cve.mitre.org) mod_proxy_ajp, mod_proxy_http: Fix an issue in back end connection closing which could lead to privacy issues due to a response mixup. PR 53727.
- SECURITY: CVE-2012-2687 (cve.mitre.org) mod_negotiation: Escape filenames in variant list to prevent an possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled.
The SSL issue on Windows was a separate problem and has been resolved now. In addition to the security vulnerabilities fixed in Apache 2.4.3, there also are a slew of bug fixes that are designed to improve the performance and reliability of the server. Apache is the most widely used Web server on the Internet and still has roughly 60 percent of the market share right now, according to Netcraft.