Apache httpd 2.0.51 was released on 15th September 2004
and is now the latest version of the httpd 2.0 server. The
previous version was 2.0.50, released on the 1st
July 2004. See what was
new in Apache httpd 2.0.50.
Apache httpd 2.0.51 is
available for download.
IMPORTANT NOTE: A serious security issue has been
discovered in the 2.0.51 release, which is fixed by applying CAN-2004-0811.patch;
this issue does not affect 2.0.50 and earlier releases. See the
Under Development section for more
details.
This is a security, bug fix and minor upgrade release. Due to
security issues, any sites using versions of 2.0 prior to Apache
httpd 2.0.51 should consider upgrading to Apache httpd 2.0.51. Read more about the other security issues
that affect 2.0.
The following new features have been added in httpd
2.0.51:
-
mod_headers: Add support to the
Header directive for setting headers on
error responses, using an "always" or "onsuccess" flag (BZ#28657)
-
mod_rewrite: Add support for %{SSL:...}
and %{HTTPS} variable lookups directly from
mod_ssl (BZ#30464)
-
mod_ssl: Add support for the
SSLUserName directive (BZ#20957)
- FreeBSD-specific: use the httpready accept
filter
- Add new
AuthDigestEnableQueryStringHack
directive to work around the MSIE Digest authentication bug
(BZ#27758)
-
mod_dir: add new
DirectorySlash directive to configure
behaviour on requests lacking trailing slash
- The ErrorDocument directive is
enhanced to allow resetting to the internally-generated error
pages
- Use of Satisfy is now controlled by
<Limit> containers (BZ#14726) (see below)
The following bugs have been fixed in httpd 2.0.51:
-
mod_rewrite: fix memory leak in cache
handling, support RewriteRule in
<Proxy> containers, fix handling
of rewrite maps with the same name in different vhosts
(BZ: #27852, #27985, #26462)
-
mod_proxy: Fix reverse proxy to an FTP
server (BZ#24922)
-
mod_userdir: ensure that the userdir
identity is used for suexec access within a vhost which has
suexec configured. (BZ#18156)
- Fix Include directive to handle
symlinks and prevent infinite recursion (BZ#28492)
-
mod_dir: fix generation of directory
listings which include proxied resources (BZ: #14648, #15112)
- Win32-specific: fix piped logger handling at shutdown, fix
pool corruption at startup
- Unix-specific: fixes for apachectl and build issues
(BZ: #30723, #27882)
- LDAP modules: improved locking to fix race conditions,
better cache status output
- Many improvements to the caching modules
mod_cache, mod_disk_cache
and mod_mem_cache; enabled use of
sendfile and binary on-disk header files
A serious regression in the 2.0.51 release was discovered a
couple of days after the announcement went out. One of the
new features included in this release is that a
<Limit> container can now be used
to limit the effect of a Satisfy
directive to specific methods. Unfortunately, a bug in the
implementation meant that merging of
Satisfy directives did not work
correctly. The result was that if "Satisfy
Any" was used, for example, in directory
/foo/bar/, it could also take effect in the higher
context, /foo/. If directory /foo/ also had
access control configured, this could then be bypassed.
The patch developed to fix the Satisfy
merging issue (CAN-2004-0811.patch)
has been committed for the next release. Bill Rowe announced
his intention to begin the 2.0.52 release process this week,
which looks set to also include a few other minor fixes.
A new 1.3 release is also pending; unreleased changes in the
1.3 tree include the fix for a security issue in mod_proxy (as
covered previously), and the fix for a bug in HTTP
request body handling (BZ#29577) introduced in 1.3.31
which caused particular problems for many
mod_dav users.