=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN078
_____________________________________________________________________

DATE                      : 09/03/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Apache httpd versions 2.2.x prior to 2.2.15.

======================================================================
http://httpd.apache.org/security/vulnerabilities_22.html
______________________________________________________________________

 Apache HTTP Server (httpd) 2.2.15 Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release and immediate availability of version
2.2.15 of the Apache HTTP Server ("httpd"). This version of httpd is
principally a security and bug fix release.

Notably, this release was updated to reflect the OpenSSL Project's release
0.9.8m of the openssl library, and addresses CVE-2009-3555 (cve.mitre.org),
the TLS renegotiation prefix injection attack. This release further
addresses the issues CVE-2010-0408, CVE-2010-0425 and CVE-2010-0434 within
mod_proxy_ajp, mod_isapi and mod_headers, respectively.

We consider this release to be the best version of httpd available,
and encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.15 is available for download from:

    http://httpd.apache.org/download.cgi

Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.15 provides the
complete list of changes since 2.2.14. A summary of security vulnerabilities
which were addressed in the previous 2.2.14 and earlier releases is available:

    http://httpd.apache.org/security/vulnerabilities_22.html

Apache HTTP Server 2.2.15 is compatible with Apache Portable Runtime (APR)
versions 1.3 and 1.4, APR-util library version 1.3, and APR-iconv library
version 1.2. The most current releases should be used to address known
security and platform bugs. At the time of this httpd release, the recommended
APR releases are:

    * Apache Portable Runtime (APR) library version 1.4.2 (bundled), or
at minimum, version 1.3.12
    * ARR-util library version 1.3.9 (bundled)
    * APR-iconv library version 1.2.1 (bundled only with win32-src.zip)

Older releases of these libraries have known vulnerabilities or other defects
affecting httpd. For further information and downloads, visit:

    http://apr.apache.org/

Apache HTTP Server 2.2 offers numerous enhancements, bug fixes, and performance
enhancements over the 2.0 codebase. For an overview of new features introduced
since 2.0 please see:

    http://httpd.apache.org/docs/2.2/new_features_2_2.html

This release builds upon and extends the httpd 2.0 API. Modules written for
httpd 2.0 will need to be recompiled in order to run with httpd 2.2, and may
require minimal source code changes.

When upgrading or installing this version of httpd, please bear in mind that
if you intend to use httpd with one of the threaded MPMs (other than the
Prefork MPM), you must ensure that any modules you will be using (and the
libraries they depend on) are thread-safe.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================