Apache Week
   

Copyright 1996-2005
Red Hat, Inc.

First published: 21st June 2002

Apache 1.3.26 Released

Apache 1.3.26 was released on 18th June 2002 and is now the latest version of the Apache 1.3 server. The previous release was 1.3.24, released on the 22nd March 2002. See what was new in Apache 1.3.24. Apache 1.3.25 was never released.

Apache 1.3.26 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 1.3.26 should upgrade to Apache 1.3.26. Read more about the other security issues that affect Apache 1.3.

Security issues

  • Fix the chunked encoding security vulnerability. (CAN-2002-0392)

New features

The main new features in 1.3.26 (compared to 1.3.24) are:

  • Add text/xml, application/xhtml+xml, audio/mpeg, and video/quicktime mime types to the mime types magic file. PR#7730
  • Added a -F flag which causes the supervisor process to no longer fork down and detach and instead stay attached to the tty. This allows integration with daemontools. PR#7628

Bugs fixed

The following bugs were found in Apache 1.3.24 and have been fixed in Apache 1.3.26:

  • Allow child processes sufficient time for cleanups but making ap_select in reclaim_child_processes more "resistant" to signal interrupts. BZ#8176
  • In Darwin, place dynamically loaded Apache extensions' public symbols into the global symbol table. This allows dynamically loaded PHP extensions.
  • Fix for a problem in mod_rewrite which would lead to 400 Bad Request responses for rewriting rules which resulted in a local path. Note: This will also reject invalid requests as issued by Netscape-4.x Roaming Profiles (on a DAV-enabled server)
  • Recognize platform-specific root directories (other than leading slash) in mod_rewrite for filename rewrite rules. BZ#7492
  • Disallow anything but whitespace on the request line after the HTTP/x.y protocol string to prevent arbitrary user input from ending up in the access_log and error_log. Also control characters are now escaped.
  • A large number of fixes in mod_proxy including: adding support for dechunking chunked responses, correcting a timeout problem which would force long or slow POST requests to close after 300 seconds PR#7552, adding "X-Forwarded" headers, dealing correctly with the multiple-cookie header bug, ability to handle unexpected 100-continue responses sent during PUT or POST commands, and a change to tighten up the Server header overwrite bug-fix.

This feature brought to you by: Mark J Cox
Comments or criticisms? Please email us at editors@apacheweek.com