Apache Week
   

Copyright 1996-2005
Red Hat, Inc.

First published: 21st January 2003

Apache 2.0.44 Released

Apache 2.0.44 was released on 21st January 2003 and is now the latest version of the Apache 2.0 server. The previous release was 2.0.43, released on the 3rd October 2002. See what was new in Apache 2.0.43.

Apache 2.0.44 is available for download.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 2.0.44 on Windows should upgrade to Apache 2.0.44. Read more about the other security issues that affect Apache 2.0.

Security issues

  • Apache was vulnerable to a denial of service attack via a request for MS-DOS device name on Windows 9x and Me. CAN-2003-0016
  • Apache allowed arbitrary code execution via crafted POST request containing MS-DOS device name on Windows 9x and Me.
  • Apache could be forced to serve unexpected files on Windows platforms by appending illegal characters such as '<' to the request URL. CAN-2002-0017

Bugs fixed

The following bugs were found in Apache 2.0.43 and have been fixed in Apache 2.0.44:

  • Allow escaping % sign in CustomLog format strings
  • mod_setenvif: fix BrowserMatchNoCase for non-regex patterns.
  • Return appropriate MIME response headers for negotiated responses from a body embedded in a type-map
  • Prevent 416 "Range not satisfiable" response in place of a redirect
  • Prevent files being left open for the duration of a keepalive connection, which could cause a "Too many open files" error
  • mod_ssl: several fixes for memory handling and leaks
  • mod_proxy: fix invalid Content-Length from pages fetched during server-side include processing.
  • LDAP modules: ensure correct load order in httpd.conf (BZ#14256); fix compatibility with Netscape LDAP libraries; fix Win32 build
  • mod_deflate: fix a memory leak when compressing dynamic content; always emit Vary headers
  • mod_isapi: fix several compatibility problems (BZ#14399, BZ#10408), and fix bug which caused invalid responses or log entries (BZ#10216)
  • CGI modules: fix streaming output from "nph-" scripts, for example CGI::IRC (BZ#8482); fix construction of command line from query strings (BZ#13914), handle environment variables which contain newlines in mod_cgid (BZ#14550); terminate CGI scripts when connection is dropped (BZ#8388)
  • Caching modules: many bug fixes (including BZ#14556), and an HTTP compliance fix (BZ#14556)

New features

  • Add an --enable-v4-mapped configure option to allow or disallow connections from IPv4-mapped addresses to IPv6 addresses, on applicable platforms (BZ#14037, PR#7492)
  • Add IndexOptions IgnoreCase option to mod_autoindex (BZ#14276)
  • Add EnableSendfile directive to disable use of sendfile() when necessary (for instance when serving an NFS share)
  • Add ProxyBadHeader directive to dictate handling of invalid HTTP responses headers
  • Add SERVER_ADDR keyword to mod_setenvif, to represent the server IP address for a particular request
  • Performance improvements
  • Add -S command-line option to httpd, equivalent to -t -DDUMP_VHOSTS

This feature brought to you by: Joe Orton
Comments or criticisms? Please email us at editors@apacheweek.com