Apache Week
   

Copyright 1996-2005
Red Hat, Inc.

First published: 11th August 2002

Apache 2.0.40 Released

Apache 2.0.40 was released on 9th August 2002 and is now the latest version of the Apache server. This is the fourth stable release of Apache 2.0, following up on 2.0.39 which was released on 18th June 2002. Read our special feature for more information about the history of Apache 2.0.

Apache 2.0.40 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions of Apache 2 on Unix prior to Apache 2.0.39 should upgrade to Apache 2.0.40. Sites using any versions of Apache 2 on other platforms should upgrade to 2.0.40.

Security issues

  • Certain URIs will bypass security and allow users to invoke or access any file depending on the system configuration. (CAN-2002-0661)

  • A path-revealing exposure is present in multiview type map negotiation (such as the default error documents) where a module would report the full path of the typemapped .var file when multiple documents or no documents could be served. (CAN-2002-0654)

  • A path-revealing exposure in cgi/cgid when Apache fails to invoke a script. The modules would report "couldn't create child process /path-to-script/script.pl" revealing the full path of the script. (CAN-2002-0654)

New features

The new features in this release (added since 2.0.39) are:

  • mod_rewrite can now set cookies using the CO extension
  • Performance improvements for the code that reads request headers
  • Proxy FTP now works over IPv6
  • Changes to the internationalized error documents; they are no longer included by default in the sample configuration file.
  • Add a new directive, MaxMemFree. MaxMemFree makes it possible to configure the maximum amount of memory a particular childs allocator will hold on to for reuse. This directive is useful when uncommon large peaks occur in memory usage.
  • Support the -w flag on to keep the Win32 console open on error
  • Add the ability to enable or disable a filter via an environment variable.
  • Apache on Netware will now pull requests off of the listen queue as fast as winsock will allow without latency introduced by the accept mutex
  • During installation Apache will preserve existing installation directories. Binaries, the build directory, the headers, and the man pages are all copied. Everything else, the config, htdocs, manual, error, icons, and cgi directories are not installed if the directories already exist

Bug Fixes

The bugs fixed in this release include:

  • Fix a long-standing bug in 2.0, CGI scripts were being called with relative paths instead of absolute paths. Apache 1.3 used absolute paths for everything except for SuExec, this brings back that standard
  • Restore the ability to specify host names on Listen directives. BZ#11030
  • Accept multiple leading /'s for requests within the DocumentRoot. BZ#10946
  • Fixed a mod_include error case in which no HTTP response was sent to the client if an shtml document contained an unterminated SSI directive
  • Prevent infinite recursion if an ErrorDocument gets an error
  • Fix segfault in mod_mem_cache most frequently observed when serving the same file to multiple clients on an multi-processor machine
  • Various fixes to the experimental module mod_ext_filter including: Look in the main server for filter definitions when running in a vhost if the filter definition is not found in the vhost, BZ#10147. Fix a segmentation fault if the content-type was not set, BZ#10617, and ignore any content-type parameters when checking if the response should be filtered.
  • Fix infinite loop due to two HTTP_IN filters being present for internally redirected requests. BZ#10146
  • Fixed the Content-Length filter so that HTTP/1.0 requests to CGI scripts would not result in a truncated response.
  • Fix proxy so that it is possible to access ftp: URLs via a proxy chain.
  • Fix perchild to work with apachectl by adding -k support to perchild. BZ#10074
  • Fix the long-standing bug in ab where ab -t10 would loop for 10000 seconds instead of 10 as documented. Also fix an off-by-one-second error
  • Fixed parsing of strings to longs which allows HTTPD to deal with larger files correctly
  • mod_deflate now checks to make sure that 'gzip-only-text/html' is set so that BrowserMatch can be used to control the module
  • Add a filter_init parameter to the filter registration functions so that a filter can execute arbitrary code before the handlers are invoked. This resolves a problem where mod_include requests would incorrectly return a 304. BZ#9673
  • A problem with the keepalive enumeration caused problems when mod_dav sends error responses
  • Various minor fixes to the htpasswd utility including BZ#10422

Platform-specific changes

The following platform-specific changes have been made:

  • Solved the reports of .pdf byterange failures on Win32. BZ#10781
  • Support WinNT CGI invocation through ScriptInterpreterSource 'registry' for script interpreter paths and names with non-ascii characters in the executable filepath
  • Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include extended characters (non US-ASCII) in non-utf8 format. This brings Win32 back into CGI/1.1 compliance, and leaves charset decoding up to the cgi application itself
  • When deciding on the default address family for listening sockets, make sure we can actually bind to an AF_INET6 socket before deciding that we should default to AF_INET6. This fixes a startup problem on certain levels of OpenUNIX. BZ#10235

This feature brought to you by: Mark J Cox
Comments or criticisms? Please email us at editors@apacheweek.com