The Apache Foundation, authors of the most popular web server product in existence – Apache HTTP Server – has released the final code update to the OpenSource groups highly respected web daemon. More information, with links,  appears after the page break.

Apache HTTP Server 1.3.42 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 1.3.42 of the Apache HTTP
   Server ("Apache"). This release is intended as the final release of
   version 1.3 of the Apache HTTP Server, which has reached end of life
   status.

   There will be no more full releases of Apache HTTP Server 1.3.
   However, critical security updates may be made available from the
   following website:

http://www.apache.org/dist/httpd/patches/

   Our thanks go to everyone who has helped make Apache HTTP Server 1.3
   the most successful, and most used, webserver software on the planet!

   This Announcement notes the significant changes in
   1.3.42 as compared to 1.3.41.

   This version of Apache is is principally a bug and security fix release.
   The following moderate security flaw has been addressed:

     * CVE-2010-0010 (cve.mitre.org)
       mod_proxy: Prevent chunk-size integer overflow on platforms
       where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.

   Please see the CHANGES_1.3.42 file in this directory for a full list
   of changes for this version.

   Apache 1.3.42 is the final stable release of the Apache 1.3 family. We
   strongly recommend that users of all earlier versions, including 1.3
   family releases, upgrade to to the current 2.2 version as soon as possible.
   For information about how to upgrade, please see the documentation:

http://httpd.apache.org/docs/2.2/upgrading.html

   Apache 1.3.42 is available for download from

http://httpd.apache.org/download.cgi

   This service utilizes the network of mirrors listed at:

http://www.apache.org/mirrors/

   Binary distributions may be available for your specific platform from

http://www.apache.org/dist/httpd/binaries/

   Binaries distributed by the Apache HTTP Server Project are provided as a
   courtesy by individual project contributors. The project makes no
   commitment to release the Apache HTTP Server in binary form for any
   particular platform, nor on any particular schedule.

   IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS
   variants. While the ports to non-Unix platforms (such as Win32, Netware or
   OS2) will function for some applications, Apache 1.3 is not designed for
   these platforms. Apache 2 was designed from the ground up for security,
   stability, or performance issues across all modern operating systems.
   Users of any non-Unix ports are strongly cautioned to move to Apache 2.

   The Apache project no longer distributes non-Unix platform binaries from
   the main download pages for Apache 1.3. If absolutely necessary, a binary
   may be available at http://archive.apache.org/dist/httpd/.

Apache 1.3.42 Major changes

  Security vulnerabilities

   The main security vulnerabilities addressed in 1.3.42 are:

  *) SECURITY: CVE-2010-0010 (cve.mitre.org)
     mod_proxy: Prevent chunk-size integer overflow on platforms
     where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.

  Bugfixes addressed in 1.3.42 are:

  *) Protect logresolve from mismanaged DNS records that return
     blank/null hostnames. 

--
Colm MacC�rthaigh

News, via Wired’s ThreatLevel blogger Kim Zetter, of a Freedom of Information Act request by EPIC [Electronic Privacy Information Center] pursuing information regarding the apparent assistance being rendered by the United States National Security Agency to Google Inc. (NasdaqGS: GOOG). Contrary to many pundits’ viewpoints, we applaud Google’s efforts to work with the NSA in an effort to protect the company’s and our information infrastructure. Specifically in response to the alleged Chinese state-sponsored cyberterrorism activities targeting the search giants internal networks (and in fact, hundreds of other businesses, agencies and institutions have also, suffered intrusions from Chinese based IP addresses] . More information, inclusive of linkage, appears after the jump.

Google is teaming up with the National Security Agency to investigate the recent hack attack against its network in a bid to prevent another assault, according to The Washington Post. The internet search giant is working on an agreement with the controversial agency to determine the attacker’s methods and what Google can do to shore up its network. Sources assured the Post that the deal does not mean the NSA will have access to users’ searches or e-mail communications and accounts. Nor will Google share proprietary data with the agency. But the move is raising concerns among privacy and civil rights advocates. The Electronic Privacy Information Center filed a Freedom of Information Act request on Thursday, shortly after the agreement was made public, seeking more information about the arrangement (.pdf). Executive Director Marc Rotenberg believes the agreement covers much more than the Google hack and that the search giant and intelligence agency were in talks prior to Google discovering that it had been hacked. “What they’ve told you is that this is about an investigation of a hack involving China,” he told Threat Level in a phone interview. “I think and have good reason to believe that there’s a lot more going on.” Google declined to comment…”

Oracle Corporation (NasdaqGS: ORCL) has released a critical security update for the Redwood Shores, CA database giant’s web application product WebLogic. Detailed after the jump, the vulnerabilities addressed pertain to MITRE NVD CVE-2010-0073, and the Oracle Weblogic Server release from version 7 to 11gR1.  Specifics of the exploitable flaw are enumerated as  a vulnerability in the Node Manager component of Oracle WebLogic Server.

Oracle Security Alert for CVE-2010-0073

Description

This Security Alert addresses security issue CVE-2010-0073, a vulnerability in the Node Manager component of Oracle WebLogic Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A knowledgeable and malicious remote user can exploit this vulnerability which can result in impacting the availability, integrity and confidentiality of the targeted system.

Supported and Affected Products

Patch Availability

From the How-To Geek Blog: “Beware! Two More Firefox Malware Extensions Found, with Full-Blown Trojans This Time”

“Last July, we pointed out that the Google Reader Notifier extension had turned into crapware, the NoScript add-on was hijacking another extension, and even the Fast Dial extension was spamming you—so it was only a matter of time before an extension came bundled with a full-blown trojan. Last time, it was as simple as spam links showing up in your browser, and tracking the URLs you were going to—really frustrating and evil, but not necessarily the end of the world, since it wasn’t going to take over your PC. Yesterday, the Mozilla Add-ons blog reported that two extensions contained nasty trojans that hijacked your PC.

“Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO…”

“If you’ve installed those extensions at any point, you should make sure to run a full virus scan on your PC…”