Apache Week
   
   Issue 348, 23rd September 2004:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Apache httpd 2.0.51 Released

Apache httpd 2.0.51 was released on 15th September 2004 and is now the latest version of the httpd 2.0 server. The previous version was 2.0.50, released on the 1st July 2004. See what was new in Apache httpd 2.0.50.

Apache httpd 2.0.51 is available for download.

IMPORTANT NOTE: A serious security issue has been discovered in the 2.0.51 release, which is fixed by applying CAN-2004-0811.patch; this issue does not affect 2.0.50 and earlier releases. See the Under Development section for more details.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions of 2.0 prior to Apache httpd 2.0.51 should consider upgrading to Apache httpd 2.0.51. Read more about the other security issues that affect 2.0.

Security issues

  • Fix an input validation issue in the apr-util library which could be triggered by malformed IPv6 literal addresses. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0786 to this issue.
  • Fix buffer overflow in expansion of environment variables in configuration file parsing. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0747 to this issue.
  • Fix a segfault in mod_dav_fs in the handling of indirect lock refresh. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0809 to this issue.
  • Fix a segfault in the mod_ssl input filter which could be triggered if using "speculative" mode, for instance by a proxy request to an SSL server. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0751 to this issue.
  • Fix a potential infinite loop in mod_ssl on a connection abort. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0748 to this issue.

New features

The following new features have been added in httpd 2.0.51:

  • mod_headers: Add support to the Header directive for setting headers on error responses, using an "always" or "onsuccess" flag (BZ#28657)
  • mod_rewrite: Add support for %{SSL:...} and %{HTTPS} variable lookups directly from mod_ssl (BZ#30464)
  • mod_ssl: Add support for the SSLUserName directive (BZ#20957)
  • FreeBSD-specific: use the httpready accept filter
  • Add new AuthDigestEnableQueryStringHack directive to work around the MSIE Digest authentication bug (BZ#27758)
  • mod_dir: add new DirectorySlash directive to configure behaviour on requests lacking trailing slash
  • The ErrorDocument directive is enhanced to allow resetting to the internally-generated error pages
  • Use of Satisfy is now controlled by <Limit> containers (BZ#14726) (see below)

Bugs fixed

The following bugs have been fixed in httpd 2.0.51:

  • mod_rewrite: fix memory leak in cache handling, support RewriteRule in <Proxy> containers, fix handling of rewrite maps with the same name in different vhosts (BZ: #27852, #27985, #26462)
  • mod_proxy: Fix reverse proxy to an FTP server (BZ#24922)
  • mod_userdir: ensure that the userdir identity is used for suexec access within a vhost which has suexec configured. (BZ#18156)
  • Fix Include directive to handle symlinks and prevent infinite recursion (BZ#28492)
  • mod_dir: fix generation of directory listings which include proxied resources (BZ: #14648, #15112)
  • Win32-specific: fix piped logger handling at shutdown, fix pool corruption at startup
  • Unix-specific: fixes for apachectl and build issues (BZ: #30723, #27882)
  • LDAP modules: improved locking to fix race conditions, better cache status output
  • Many improvements to the caching modules mod_cache, mod_disk_cache and mod_mem_cache; enabled use of sendfile and binary on-disk header files

Under development

A serious regression in the 2.0.51 release was discovered a couple of days after the announcement went out. One of the new features included in this release is that a <Limit> container can now be used to limit the effect of a Satisfy directive to specific methods. Unfortunately, a bug in the implementation meant that merging of Satisfy directives did not work correctly. The result was that if "Satisfy Any" was used, for example, in directory /foo/bar/, it could also take effect in the higher context, /foo/. If directory /foo/ also had access control configured, this could then be bypassed.

The patch developed to fix the Satisfy merging issue (CAN-2004-0811.patch) has been committed for the next release. Bill Rowe announced his intention to begin the 2.0.52 release process this week, which looks set to also include a few other minor fixes.

A new 1.3 release is also pending; unreleased changes in the 1.3 tree include the fix for a security issue in mod_proxy (as covered previously), and the fix for a bug in HTTP request body handling (BZ#29577) introduced in 1.3.31 which caused particular problems for many mod_dav users.


This issue brought to you by: Joe Orton
Comments or criticisms? Please email us at editors@apacheweek.com