Thread View: gmane.comp.apache.apacheweek
1 messages
1 total messages
Started by Apache Week
Fri, 26 Mar 2004 17:48
Apache Week issue 344
Author: Apache Week
Date: Fri, 26 Mar 2004 17:48
Date: Fri, 26 Mar 2004 17:48
160 lines
8312 bytes
8312 bytes
APACHE WEEK
The essential weekly guide for users of the world's most popular Web server.
Issue 344: 26th March 2004
In this issue
* Apache httpd 2.0.49 Released
Apache httpd 2.0.49 Released
Apache httpd 2.0.49 was released on 19^th March 2004 and is now the
latest version of the httpd 2.0 server. The previous version was
2.0.48, released on the 29^th October 2003. [1]See what was new in
Apache httpd 2.0.48.
[2]Apache httpd 2.0.49 is available for download.
This is a security, bug fix and minor upgrade release. Due to
security issues, any sites using versions of 2.0 prior to Apache
httpd 2.0.49 should upgrade to Apache httpd 2.0.49. [3]Read more
about the other security issues that affect 2.0.
Security issues
* A remotely triggered memory leak in mod_ssl can allow a denial of
service attack due to excessive memory consumption. The Common
Vulnerabilities and Exposures project has assigned the name
[4]CAN-2004-0113 to this issue.
* When using multiple listening sockets, a denial of service attack
is possible on some platforms due to a race condition in the
handling of short-lived connections. This issue is known to affect
some versions of AIX, Solaris, and Tru64; it is known to not
affect FreeBSD or Linux. The Common Vulnerabilities and Exposures
project has assigned the name [5]CAN-2004-0174 to this issue.
* Arbitrary client-supplied strings can be written to the error log
which can lead to exploits of certain terminal emulators. The
Common Vulnerabilities and Exposures project has assigned the name
[6]CAN-2003-0020 to this issue.
New features
The following new features have been added in httpd 2.0.49:
* mod_include: new, more robust filter parser
* mod_rewrite: now handles lookup keys containing newlines; the
REMOTE_PORT variable is now available too
* mod_autoindex: new "XHTML" IndexOption to enable XHTML-compliant
output ([7]BZ#23747)
* Polish translation of error documents are now included
* a new mode AP_MPMQ_MPM_STATE for the ap_mpm_query function, to
allow modules to query the MPM state
* mod_status: a hook has been added to allow modules to add content
to the server-status report; a new scoreboard state L is now
reported when a process is running a logging hook
* add a "fatal exception" hook for use in diagnostic modules
* the source code is now licensed under the [8]Apache License,
Version 2.0
Bugs fixed
The following bugs were found in httpd 2.0.48 and have been fixed
in httpd 2.0.49:
* fixes for problems with handling of piped logging processes at
restart and shutdown time ([9]BZ#21648, [10]BZ#24805)
* mod_usertrack: fix case where CookieName was not set; don't check
the Cookie2 header; don't overwrite cookies from other sources
([11]BZ#24483, [12]BZ#11475, [13]BZ#26002)
* mod_include: fix handling of empty variables; don't send an ETag
header on 304 response; check when INCLUDES are configured twice
([14]BZ#24734, [15]BZ#19355)
* mod_ssl fixes for: cleanly closing SSL connections; bug in
passphrase handling causing spurious failures; handling of nph-
CGI scripts; variable lookup issues; log human-readable error
strings ([16]BZ#27428, [17]BZ#21160, [18]BZ#15057, [19]BZ#21944,
[20]BZ#23956, [21]BZ#22741)
* mod_cgid: fix storage corruption bug; restart the daemon on
crashes ([22]BZ#19849)
* mod_dav: reject requests with unescaped fragment in Request-URI;
use bucket brigades for reading input bodies; handle
authentication on destination of MOVE and COPY methods; fix issue
with namespace mappings in property values ([23]BZ#21779,
[24]BZ#22104, [25]BZ#15571, [26]BZ#11637)
* mod_proxy fixes for: use of ProxyErrorOverride and non-2xx
responses; sending invalid status-lines; memory leak in reverse
proxy ([27]BZ#23998, [28]BZ#24991)
* mod_autoindex: handle filenames containing escape characters
correctly ([29]BZ#23747)
* mod_expires: include Expires headers in error responses; fix 500
error if ExpiresDefault is not used; support wildcard as
minor-type in ExpiresByType ([30]BZ#19794, [31]BZ#24884,
[32]BZ#24884, [33]BZ#25123, [34]BZ#23748, [35]BZ#24459,
[36]BZ#7991)
* mod_log_config: fix log corruption in threaded MPMs when buffering
is enabled; log minutes component of timezone correctly
([37]BZ#25520, [38]BZ#23642)
* mod_mem_cache: fix potential segfaults and various other bugs
([39]BZ#18756)
* MPM-specific fixes: fix for potential parent process crashes in
worker; fix for slow graceful restarts in prefork; implement the
MaxMemFree and add new Win32DisableAcceptEx for the Win32 MPM
______________________________________________________________
This issue brought to you by: Joe Orton
Comments or criticisms? Please email us at
[40]editors@apacheweek.com.
[41]Apache Week is Copyright 2004 [42]Red Hat, Inc.
References
1. http://www.apacheweek.com/issues/03-11-07#apache2048
2. http://httpd.apache.org/download.cgi
3. http://www.apacheweek.com/features/security-20
4. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2004-0113
5. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2004-0174
6. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0020
7. http://nagoya.apache.org/bugzilla/show_bug.cgi?id#747
8. http://www.apache.org/licenses
9. http://nagoya.apache.org/bugzilla/show_bug.cgi?id!648
10. http://nagoya.apache.org/bugzilla/show_bug.cgi?id$805
11. http://nagoya.apache.org/bugzilla/show_bug.cgi?id$483
12. http://nagoya.apache.org/bugzilla/show_bug.cgi?id475
13. http://nagoya.apache.org/bugzilla/show_bug.cgi?id&002
14. http://nagoya.apache.org/bugzilla/show_bug.cgi?id$734
15. http://nagoya.apache.org/bugzilla/show_bug.cgi?id355
16. http://nagoya.apache.org/bugzilla/show_bug.cgi?id'428
17. http://nagoya.apache.org/bugzilla/show_bug.cgi?id!160
18. http://nagoya.apache.org/bugzilla/show_bug.cgi?id057
19. http://nagoya.apache.org/bugzilla/show_bug.cgi?id!944
20. http://nagoya.apache.org/bugzilla/show_bug.cgi?id#956
21. http://nagoya.apache.org/bugzilla/show_bug.cgi?id"741
22. http://nagoya.apache.org/bugzilla/show_bug.cgi?id849
23. http://nagoya.apache.org/bugzilla/show_bug.cgi?id!779
24. http://nagoya.apache.org/bugzilla/show_bug.cgi?id"104
25. http://nagoya.apache.org/bugzilla/show_bug.cgi?id571
26. http://nagoya.apache.org/bugzilla/show_bug.cgi?id637
27. http://nagoya.apache.org/bugzilla/show_bug.cgi?id#998
28. http://nagoya.apache.org/bugzilla/show_bug.cgi?id$991
29. http://nagoya.apache.org/bugzilla/show_bug.cgi?id#747
30. http://nagoya.apache.org/bugzilla/show_bug.cgi?id794
31. http://nagoya.apache.org/bugzilla/show_bug.cgi?id$884
32. http://nagoya.apache.org/bugzilla/show_bug.cgi?id$884
33. http://nagoya.apache.org/bugzilla/show_bug.cgi?id%123
34. http://nagoya.apache.org/bugzilla/show_bug.cgi?id#748
35. http://nagoya.apache.org/bugzilla/show_bug.cgi?id$459
36. http://nagoya.apache.org/bugzilla/show_bug.cgi?idy91
37. http://nagoya.apache.org/bugzilla/show_bug.cgi?id%520
38. http://nagoya.apache.org/bugzilla/show_bug.cgi?id#642
39. http://nagoya.apache.org/bugzilla/show_bug.cgi?id756
40. mailto:editors@apacheweek.com
41. http://www.apacheweek.com/
42. http://www.redhat.com/
----------------------------------------------------------------------
To unsubscribe visit https://www.redhat.com/mailman/listinfo/apacheweek
or send the message "unsubscribe" to apacheweek-request@redhat.com
----------------------------------------------------------------------
Thread Navigation
This is a paginated view of messages in the thread with full content displayed inline.
Messages are displayed in chronological order, with the original post highlighted in green.
Use pagination controls to navigate through all messages in large threads.
Back to All Threads