CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Desktops

New Apache release patches holes

The Apache Software Foundation unveils a new version of its market-leading Web server software, primarily to patch previously undisclosed security vulnerabilities.

The Apache Software Foundation released on Wednesday an updated version of its market-leading Web server software, primarily to patch previously undisclosed security holes.

The group, which coordinates development and distribution of the open-source software, recommended that system administrators promptly upgrade to version 2.0.46 of Apache HTTP Server, available for download from the Apache Web site.

The free Apache program is the most popular Web server software in use today, employed by 63 percent of all Web sites, according to a recent survey by research firm Netcraft.

The new version of the software patches several serious vulnerabilities, including one that could allow vandals to crash a server by sending malicious commands to the component Apache uses to execute WebDAV (World Wide Web Distributed Authoring and Versioning) instructions. WebDAV is a set of extensions to the basic HTTP (Hypertext Transfer Protocol) underlying the Web, enabling sites to handle more advanced Web services functions. WebDAV has been the source of numerous other security holes in server software made by Microsoft and others.

The foundation said it would reveal details of the WebDAV vulnerability on Friday.

The new version of Apache also fixes a hole in the software authentication module that could let malicious users launch a limited denial-of-service attack that would prevent authorized users from logging on to the server under siege. The Apache foundation said in a statement that it did not believe the bug could enable unauthorized users to gain access to protected resources.

The foundation released an Apache update last month to patch a vulnerability that could have allowed a more serious DoS attack.

Apache administrators were forced to scramble to contain damage late last year when a destructive worm targeting Apache servers began to spread before a patch was available.