The Apache Software Foundation has released version 2.4.68 of its HTTP Server, fixing 13 security vulnerabilities that affect all versions from 2.4.0 through 2.4.67. The update addresses critical issues including use-after-free conditions, heap-based buffer overflows, cross-site scripting, and denial-of-service flaws. System administrators running any prior release are strongly advised to upgrade immediately.
Critical Use-After-Free and XSS Vulnerabilities
Two use-after-free flaws were patched in this release. One vulnerability affects the mod_ldap module in per-directory configurations, where a dangling pointer can be triggered. Another use-after-free issue impacts the mod_http2 module when file handles are exhausted. The update also fixes a cross-site scripting vulnerability in mod_proxy_ftp’s HTML directory listing generation, which could allow script injection when Apache proxies FTP directory contents through forward or reverse proxy configurations.
Buffer Overflows and Denial-of-Service Fixes
The release addresses four buffer overflow vulnerabilities across multiple modules. These include a buffer overflow in mod_proxy_html exploitable by untrusted backend servers, a heap-based overflow in ProxyPassReverseCookieMap, a heap overflow in mod_xml2enc, and a heap underwrite in ap_regname caused by signed char overflow in crafted regex configurations. Additionally, two denial-of-service vulnerabilities were fixed, including one in mod_http2 that allows memory allocation exhaustion through malicious HTTP/2 requests, and another that triggers an infinite loop in mod_proxy_ftp.
Source: Cyber Security News
