A serious vulnerability in the most popular web server software on the Internet, Apache, was announced on 17 June. CERT/CC and the Apache Software Foundation issued advisories describing the flaw:
- http://www.cert.org/advisories/CA-2002-17.html
- http://httpd.apache.org/info/security_bulletin_20020617.txt
In most situations, this can permit a Denial-of-Service attack, and, in some cases, arbitrary code can be run on the server. On 20 June, Apache Software Foundation released new versions (1.3.26 and 2.0.39) that fix the flaw, and a new security bulletin: http://httpd.apache.org/info/security_bulletin_20020620.txt
The serious vulnerabilities that have been discovered for Apache are few and far between, but this incident demonstrates the Apache Software Foundation's ability to respond promptly. This should help reassure organisations that are worried about Open Source software support. All users of Apache should download and install the latest versions.