|
In this issue
Apache httpd 2.0.49 was released on 19th March 2004
and is now the latest version of the httpd 2.0 server. The
previous version was 2.0.48, released on the 29th
October 2003. See what was
new in Apache httpd 2.0.48.
Apache httpd 2.0.49 is
available for download.
This is a security, bug fix and minor upgrade release. Due to
security issues, any sites using versions of 2.0 prior to Apache
httpd 2.0.49 should upgrade to Apache httpd 2.0.49. Read more about the other security issues
that affect 2.0.
Security issues
- A remotely triggered memory leak in mod_ssl can allow a
denial of service attack due to excessive memory consumption.
The Common Vulnerabilities and Exposures project
has assigned the name
CAN-2004-0113
to this issue.
- When using multiple listening sockets, a denial of service
attack is possible on some platforms due to a race condition
in the handling of short-lived connections. This issue is
known to affect some versions of AIX, Solaris, and Tru64; it
is known to not affect FreeBSD or Linux.
The Common Vulnerabilities and Exposures project
has assigned the name
CAN-2004-0174
to this issue.
- Arbitrary client-supplied strings can be written to the
error log which can lead to exploits of certain terminal
emulators.
The Common Vulnerabilities and Exposures project
has assigned the name
CAN-2003-0020
to this issue.
New features
The following new features have been added in httpd
2.0.49:
-
mod_include: new, more robust filter
parser
-
mod_rewrite: now handles lookup keys
containing newlines; the REMOTE_PORT variable is now available
too
-
mod_autoindex: new "XHTML" IndexOption to
enable XHTML-compliant output (BZ#23747)
- Polish translation of error documents are now included
- a new mode AP_MPMQ_MPM_STATE for the
ap_mpm_query function, to allow modules to query
the MPM state
-
mod_status: a hook has been added to
allow modules to add content to the server-status
report; a new scoreboard state L is now reported
when a process is running a logging hook
- add a "fatal exception" hook for use in diagnostic
modules
- the source code is now licensed under the Apache License, Version
2.0
Bugs fixed
The following bugs were found in httpd 2.0.48 and have been
fixed in httpd 2.0.49:
- fixes for problems with handling of piped logging
processes at restart and shutdown time (BZ#21648,
BZ#24805)
-
mod_usertrack: fix case where CookieName
was not set; don't check the Cookie2 header; don't overwrite
cookies from other sources (BZ#24483, BZ#11475, BZ#26002)
-
mod_include: fix handling of empty
variables; don't send an ETag header on 304 response; check
when INCLUDES are configured twice (BZ#24734, BZ#19355)
-
mod_ssl fixes for: cleanly closing SSL
connections; bug in passphrase handling causing spurious
failures; handling of nph- CGI scripts; variable lookup
issues; log human-readable error strings (BZ#27428,
BZ#21160, BZ#15057, BZ#21944, BZ#23956, BZ#22741)
-
mod_cgid: fix storage corruption bug;
restart the daemon on crashes (BZ#19849)
-
mod_dav: reject requests with unescaped
fragment in Request-URI; use bucket brigades for reading input
bodies; handle authentication on destination of MOVE and COPY
methods; fix issue with namespace mappings in property values
(BZ#21779, BZ#22104, BZ#15571, BZ#11637)
-
mod_proxy fixes for: use of
ProxyErrorOverride and non-2xx
responses; sending invalid status-lines; memory leak in
reverse proxy (BZ#23998, BZ#24991)
-
mod_autoindex: handle filenames
containing escape characters correctly (BZ#23747)
-
mod_expires: include Expires headers in
error responses; fix 500 error if ExpiresDefault is not used;
support wildcard as minor-type in
ExpiresByType (BZ#19794, BZ#24884, BZ#24884, BZ#25123, BZ#23748, BZ#24459, BZ#7991)
-
mod_log_config: fix log corruption in
threaded MPMs when buffering is enabled; log minutes component
of timezone correctly (BZ#25520, BZ#23642)
-
mod_mem_cache: fix potential segfaults
and various other bugs (BZ#18756)
- MPM-specific fixes: fix for potential parent process
crashes in worker; fix for slow graceful restarts in
prefork; implement the
MaxMemFree and add new
Win32DisableAcceptEx for the Win32
MPM
|
This
issue
brought to you by: Joe Orton
|
|
|