Apache Week
   

Copyright 1996-2005
Red Hat, Inc.

First published: 4th October 2002

Apache 2.0.43 Released

Apache 2.0.43 was released on 3rd October 2002 and is now the latest version of the Apache 2.0 server. The previous release was 2.0.42, released on the 24th September 2002. See what was new in Apache 2.0.42.

Apache 2.0.43 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 2.0.43 should upgrade to Apache 2.0.43. Read more about the other security issues that affect Apache 2.0.

Security issues

  • Fix the security vulnerability regarding a cross-site scripting vulnerability in the default error page when using wildcard DNS. CAN-2002-0840

  • Fix the exposure of CGI source when a POST request is sent to a location where both DAV and CGI are enabled. CAN-2002-1156

  • Fix the security vulnerability regarding some possible overflows in ab.c which could be exploited by a malicious server. CAN-2002-0843

Bugs fixed

The following bugs were found in Apache 2.0.42 and have been fixed in Apache 2.0.43:

  • The UserDir directive has been fixed to again take a list of user names to enable userdir access for, as per 1.3.

  • Flushing behaviour has been improved, to ensure that available response output is flushed when no new output is pending; helping streaming CGIs and other dynamically-generated content

  • mod_auth_ldap has been fixed to retry connections to the LDAP server if it becomes unavailable.

  • Fix for a locking problem in mod_ssl's session cache code which could cause infinite loops on some platforms

  • Fixes for mod_cache to prevent a segfault when attempting to cache some combinations of content (for instance, when using SSI tags which execute CGI scripts), and to correct the CacheMaxStreamingBuffer directive for virtual hosts

  • The default server root directory in suexec has been fixed to match the default install root

  • mod_proxy was fixed to not strip WWW-Authenticate headers on 4xx error responses which prevented server authentication to be performed via the proxy

New features

  • A new module, mod_logio, has been added which allows logging of the number of bytes sent and received by the server.

  • A -p option has been added to apxs to allow programs to be be compiled using this tool.


This feature brought to you by: Joe Orton
Comments or criticisms? Please email us at editors@apacheweek.com