« [Miscs] Apache iBATIS (T.L.P.) Website | Main | 15 October 2005 - [Miscs] Apache Struts - Get a better handle on Struts actions, with Spring »

October 14, 2005

14 October 2005 - Apache HTTP Server 2.0.55 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.0.55 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.55 as compared to 2.0.54. This Announcement2.0 document may also be available in multiple languages at:

http://www.apache.org/dist/httpd/

This version of Apache is principally a security release. The following potential security flaws are addressed, the first three of which address several classes of HTTP Request and Response Splitting/Spoofing attacks;

CAN-2005-2088 (cve.mitre.org)
core: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length.
proxy_http: Correctly handle the Transfer-Encoding and Content-Length request headers. Discard the request Content-Length whenever chunked T-E is used, always passing one of either C-L or T-E chunked whenever the request includes a request body.
Unassigned
proxy_http: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection.
CAN-2005-2700 (cve.mitre.org)
mod_ssl: Fix a security issue where "SSLVerifyClient" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the vhost configuration.
CAN-2005-2491 (cve.mitre.org)
pcre: Fix integer overflows in PCRE in quantifier parsing which could be triggered by a local user through use of a carefully crafted regex in an .htaccess file.
CAN-2005-2728 (cve.mitre.org)
Fix cases where the byterange filter would buffer responses into memory.
CAN-2005-1268 (cve.mitre.org)
mod_ssl: Fix off-by-one overflow whilst printing CRL information at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL.

The Apache HTTP Project thanks all of the reporters of these issues and vulnerabilities for the responsible reporting and thorough analysis of these vulnerabilities.

This release further addresses a number of cross-platform bugs, as well as specific issues on OS/X 10.4, Win32, AIX, and across all EBCDIC platforms, and adds compatibility with OpenSSL 0.9.8.

This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade.

This release includes the Apache Portable Runtime library suite release version 0.9.7, bundled with the tar and zip distributions. These libraries; libapr, libaprutil, and on Win32, libapriconv must all be updated to ensure binary compatibility and address many known platform bugs.

Apache 2.0.55 is available for download from


http://httpd.apache.org/download.cgi

Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.

Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see


http://httpd.apache.org/docs/2.0/new_features_2_0.html

When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please refer to the documentation of these modules and libraries to obtain this information.

----

-- The Apache HTTP Server Project

----

Project Info -- Apache HTTP Server

DOAP File

The Apache HTTP Server is an open-source HTTP server for modern operating systems including UNIX, MS-Windows, Macintosh and Netware. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Apache has been the most popular web server on the Internet since April of 1996.

Releases can be downloaded from http://httpd.apache.org/download.cgi

Project Websitehttp://httpd.apache.org/
Programming LanguagesC
Categoriesnetwork-server, http, httpd-module
Mailing Listshttp://httpd.apache.org/lists.html
Bug/Issue Trackerhttp://httpd.apache.org/bug_report.html
Project Management CommitteeApache HTTP Server

Access to the source code:

Browsehttp://svn.apache.org/viewcvs.cgi/httpd/httpd/
SVN Directhttp://svn.apache.org/repos/asf/httpd/httpd/
Posted by Tetsuya Kitahata at October 14, 2005 07:21 PM
http://www.apachenews.org/archives/000764.html
[ Category : Apache HTTP ] (PDF)(XML)