Apache Week
   
   Issue 344, 26th March 2004:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Apache httpd 2.0.49 Released

Apache httpd 2.0.49 was released on 19th March 2004 and is now the latest version of the httpd 2.0 server. The previous version was 2.0.48, released on the 29th October 2003. See what was new in Apache httpd 2.0.48.

Apache httpd 2.0.49 is available for download.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions of 2.0 prior to Apache httpd 2.0.49 should upgrade to Apache httpd 2.0.49. Read more about the other security issues that affect 2.0.

Security issues

  • A remotely triggered memory leak in mod_ssl can allow a denial of service attack due to excessive memory consumption. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0113 to this issue.
  • When using multiple listening sockets, a denial of service attack is possible on some platforms due to a race condition in the handling of short-lived connections. This issue is known to affect some versions of AIX, Solaris, and Tru64; it is known to not affect FreeBSD or Linux. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0174 to this issue.
  • Arbitrary client-supplied strings can be written to the error log which can lead to exploits of certain terminal emulators. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0020 to this issue.

New features

The following new features have been added in httpd 2.0.49:

  • mod_include: new, more robust filter parser
  • mod_rewrite: now handles lookup keys containing newlines; the REMOTE_PORT variable is now available too
  • mod_autoindex: new "XHTML" IndexOption to enable XHTML-compliant output (BZ#23747)
  • Polish translation of error documents are now included
  • a new mode AP_MPMQ_MPM_STATE for the ap_mpm_query function, to allow modules to query the MPM state
  • mod_status: a hook has been added to allow modules to add content to the server-status report; a new scoreboard state L is now reported when a process is running a logging hook
  • add a "fatal exception" hook for use in diagnostic modules
  • the source code is now licensed under the Apache License, Version 2.0

Bugs fixed

The following bugs were found in httpd 2.0.48 and have been fixed in httpd 2.0.49:

  • fixes for problems with handling of piped logging processes at restart and shutdown time (BZ#21648, BZ#24805)
  • mod_usertrack: fix case where CookieName was not set; don't check the Cookie2 header; don't overwrite cookies from other sources (BZ#24483, BZ#11475, BZ#26002)
  • mod_include: fix handling of empty variables; don't send an ETag header on 304 response; check when INCLUDES are configured twice (BZ#24734, BZ#19355)
  • mod_ssl fixes for: cleanly closing SSL connections; bug in passphrase handling causing spurious failures; handling of nph- CGI scripts; variable lookup issues; log human-readable error strings (BZ#27428, BZ#21160, BZ#15057, BZ#21944, BZ#23956, BZ#22741)
  • mod_cgid: fix storage corruption bug; restart the daemon on crashes (BZ#19849)
  • mod_dav: reject requests with unescaped fragment in Request-URI; use bucket brigades for reading input bodies; handle authentication on destination of MOVE and COPY methods; fix issue with namespace mappings in property values (BZ#21779, BZ#22104, BZ#15571, BZ#11637)
  • mod_proxy fixes for: use of ProxyErrorOverride and non-2xx responses; sending invalid status-lines; memory leak in reverse proxy (BZ#23998, BZ#24991)
  • mod_autoindex: handle filenames containing escape characters correctly (BZ#23747)
  • mod_expires: include Expires headers in error responses; fix 500 error if ExpiresDefault is not used; support wildcard as minor-type in ExpiresByType (BZ#19794, BZ#24884, BZ#24884, BZ#25123, BZ#23748, BZ#24459, BZ#7991)
  • mod_log_config: fix log corruption in threaded MPMs when buffering is enabled; log minutes component of timezone correctly (BZ#25520, BZ#23642)
  • mod_mem_cache: fix potential segfaults and various other bugs (BZ#18756)
  • MPM-specific fixes: fix for potential parent process crashes in worker; fix for slow graceful restarts in prefork; implement the MaxMemFree and add new Win32DisableAcceptEx for the Win32 MPM

This issue brought to you by: Joe Orton
Comments or criticisms? Please email us at editors@apacheweek.com