[olug] [striker at apache.org: [ANNOUNCE] Apache 2.0.48 Released]
Brian Roberson
roberson at olug.org
Wed Oct 29 21:23:31 UTC 2003
----- Forwarded message from Apache HTTP Server Project <striker at apache.org> -----
Delivered-To: roberson at olug.org
Delivered-To: bstc.net-roberson at bstc.net
Delivered-To: bstc.net-brian at bstc.net
X-Spam-Status: No, hits=0.0 required=5.0
Mailing-List: contact announce-help at httpd.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:announce-help at httpd.apache.org>
list-unsubscribe: <mailto:announce-unsubscribe at httpd.apache.org>
list-post: <mailto:announce at apache.org>
Delivered-To: mailing list announce at httpd.apache.org
Delivered-To: moderator for announce at httpd.apache.org
From: "Apache HTTP Server Project" <striker at apache.org>
To: <announce at httpd.apache.org>
Subject: [ANNOUNCE] Apache 2.0.48 Released
Date: Wed, 29 Oct 2003 14:50:04 +0100
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
Apache 2.0.48 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the eleventh public release of the Apache 2.0
HTTP Server. This Announcement notes the significant changes in
2.0.48 as compared to 2.0.47.
This version of Apache is principally a bug fix release. A summary of
the bug fixes is given at the end of this document. Of particular
note is that 2.0.48 addresses two security vulnerabilities:
mod_cgid mishandling of CGI redirect paths could result in CGI output
going to the wrong client when a threaded MPM is used.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789]
A buffer overflow could occur in mod_alias and mod_rewrite when
a regular expression with more than 9 captures is configured.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542]
This release is compatible with modules compiled for 2.0.42 and later
versions. We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.
Apache 2.0.48 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.
Apache 2.0.48 Major changes
Security vulnerabilities closed since Apache 2.0.47
*) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
the AF_UNIX socket used to communicate with the cgid daemon and
the CGI script. [Jeff Trawick]
*) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and
mod_rewrite which occurred if one configured a regular expression
with more than 9 captures. [André Malo]
Bugs fixed and features added since Apache 2.0.47
*) mod_include: fix segfault which occured if the filename was not
set, for example, when processing some error conditions.
PR 23836. [Brian Akins <bakins at web.turner.com>, André Malo]
*) fix the config parser to support <Foo>..</Foo> containers (no
arguments in the opening tag) supported by httpd 1.3. Without
this change mod_perl 2.0's <Perl> sections are broken.
["Philippe M. Chiasson" <gozer at cpan.org>]
*) mod_cgid: fix a hash table corruption problem which could
result in the wrong script being cleaned up at the end of a
request. [Jeff Trawick]
*) Update httpd-*.conf to be clearer in describing the connection
between AddType and AddEncoding for defining the meaning of
compressed file extensions. [Roy Fielding]
*) mod_rewrite: Don't die silently when failing to open RewriteLogs.
PR 23416. [André Malo]
*) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
rewritten request using "proxy:". The code was adding multiple "proxy:"
fields in the rewritten URI. PR: 13946.
[Eider Oliveira <eider at bol.com.br>]
*) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
expires as directed in RFC 2616. [Thomas Castelle tcastelle at generali.fr]
*) Ensure that ssl-std.conf is generated at configure time, and switch
to using the expanded config variables to work the same as
httpd-std.conf PR: 19611
[Thom May]
*) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
[Hartmut Keil <Hartmut.Keil at adnovum.ch>]
*) mod_autoindex: If a directory contains a file listed in the
DirectoryIndex directive, the folder icon is no longer replaced
by the icon of that file. PR 9587.
[David Shane Holden <dpejesh at yahoo.com>]
*) Fixed mod_usertrack to not get false positive matches on the
user-tracking cookie's name. PR 16661.
[Manni Wood <manniwood at planet-save.com>]
*) mod_cache: Fix the cache code so that responses can be cached
if they have an Expires header but no Etag or Last-Modified
headers. PR 23130.
[bjorn at exoweb.net]
*) mod_log_config: Fix %b log format to write really "-" when 0 bytes
were sent (e.g. with 304 or 204 response codes). [Astrid Keßler]
*) Modify ap_get_client_block() to note if it has seen EOS.
[Justin Erenkrantz]
*) Fix a bug, where mod_deflate sometimes unconditionally compressed the
content if the Accept-Encoding header contained only other tokens than
"gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
*) Avoid an infinite recursion, which occured if the name of an included
config file or directory contained a wildcard character. PR 22194.
[André Malo]
*) mod_ssl: Fix a problem setting variables that represent the
client certificate chain. PR 21371 [Jeff Trawick]
*) Unix: Handle permissions settings for flock-based mutexes in
unixd_set_global|proc_mutex_perms(). Allow the functions to be
called for any type of mutex. PR 20312 [Jeff Trawick]
*) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
*) Fix a misleading message from the some of the threaded MPMs when
MaxClients has to be lowered due to the setting of ServerLimit.
[Jeff Trawick]
*) Lower the severity of the "listener thread didn't exit" message
to debug, as it is of interest only to developers. PR 9011
[Jeff Trawick]
*) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
[Cliff Woolley, Jean-Jacques Clar]
*) Install config.nice into the build/ directory to make
minor version upgrades easier. [Joshua Slive]
*) Fix mod_deflate so that it does not call deflate() without checking
first whether it has something to deflate. (Currently this causes
deflate to generate a fatal error according to the zlib spec.)
PR 22259. [Stas Bekman]
*) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an
identity spoof is encountered.
[Sander Striker]
*) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
containing the .htaccess file is requested without a trailing slash.
PR 20195. [André Malo]
*) ab: Overlong credentials given via command line no longer clobber
the buffer. [André Malo]
*) mod_deflate: Don't attempt to hold all of the response until we're
done. [Justin Erenkrantz]
*) Assure that we block properly when reading input bodies with SSL.
PR 19242. [David Deaves <David.Deaves at dd.id.au>, William Rowe]
*) Update mime.types to include latest IANA and W3C types. [Roy Fielding]
*) mod_ext_filter: Set additional environment variables for use by
the external filter. PR 20944. [Andrew Ho, Jeff Trawick]
*) Fix buildconf errors when libtool version changes. [Jeff Trawick]
*) Remember an authenticated user during internal redirects if the
redirection target is not access protected and pass it
to scripts using the REDIRECT_REMOTE_USER environment variable.
PR 10678, 11602. [André Malo]
*) mod_include: Fix a trio of bugs that would cause various unusual
sequences of parsed bytes to omit portions of the output stream.
PR 21095. [Ron Park <ronald.park at cnet.com>, André Malo, Cliff Woolley]
*) Update the header token parsing code to allow LWS between the
token word and the ':' seperator. [PR 16520]
[Kris Verbeeck <kris.verbeeck at advalvas.be>, Nicel KM <mnicel at yahoo.com>]
*) Eliminate creation of a temporary table in ap_get_mime_headers_core()
[Joe Schaefer <joe+gmane at sunstarsys.com>]
*) Added FreeBSD directory layout. PR 21100.
[Sander Holthaus <info at orangexl.com>, André Malo]
*) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
response. PR 21085. [Glenn Nielsen <glenn at apache.org>, André Malo]
*) mod_rewrite: Perform child initialization on the rewrite log lock.
This fixes a log corruption issue when flock-based serialization
is used (e.g., FreeBSD). [Jeff Trawick]
*) Don't respect the Server header field as set by modules and CGIs.
As with 1.3, for proxy requests any such field is from the origin
server; otherwise it will have our server info as controlled by
the ServerTokens directive. [Jeff Trawick]
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe at httpd.apache.org
For additional commands, e-mail: announce-help at httpd.apache.org
----- End forwarded message -----
More information about the OLUG
mailing list