Apache HTTP Server 2.2.27

The Apache Software Foundation and the Apache HTTP Server Project have released the version 2.2.27 of the Apache HTTP Server. This was released to address a security issue and a bug fix.

The following issues were addressed in Apache HTTP Server 2.2.27:

[1] CVE-2014-0098 Segfaults with truncated cookie logging. mod_log_config: Prevent segfaults when logging truncated cookies. Clean up the cookie logging parser to recognize only the cookie=value pairs, not valueless cookies.

A flaw was found in mod_log_config. A remote attacker could send a specific truncated cookie causing a crash. This crash would only be a denial of service if using a threaded MPM.

[2] CVE-2013-6438 mod_dav: Keep track of length of cdata properly when removing leading spaces. Eliminates a potential denial of service from specifically crafted DAV WRITE requests

XML parsing code in mod_dav incorrectly calculates the end of the string when removing leading spaces and places a NUL character outside the buffer, causing random crashes. This XML parsing code is only used with DAV provider modules that support DeltaV, of which the only publicly released provider is mod_dav_svn.

Apart from this, you can upgrade your Apache HTTPS server 2.2 to Apache HTTP Server 2.4. Apache server 2.4 is in production since long time. For more details on Apache HTTP Server 2.2.27 release, please refer their official announcement at http://www.apache.org/dist/httpd/Announcement2.2.html.

If you are using previous version of Apache HTTP server, it is highly recommend that you upgrade to Apache HTTP server 2.2.27 or Apache HTTP server 2.4.