[SECURITY-L] [ANNOUNCE] Apache HTTP Server 2.0.49 Released
CSIRT - UNICAMP
security em unicamp.br
Seg Mar 22 13:18:40 -03 2004
----- Forwarded message from Sander Striker <striker em apache.org> -----
From: Sander Striker <striker em apache.org>
Subject: [S] [ANNOUNCE] Apache HTTP Server 2.0.49 Released
To: announce em httpd.apache.org
Date: Fri, 19 Mar 2004 22:55:38 +0100
X-Mailer: Ximian Evolution 1.4.5
Apache HTTP Server 2.0.49 Released
The Apache Software Foundation and the The Apache HTTP Server Project are
pleased to announce the release of version 2.0.49 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
in 2.0.49 as compared to 2.0.48.
This version of Apache is principally a bug fix release. A summary of
the bug fixes is given at the end of this document. Of particular
note is that 2.0.49 addresses three security vulnerabilities:
When using multiple listening sockets, a denial of service attack
is possible on some platforms due to a race condition in the
handling of short-lived connections. This issue is known to affect
some versions of AIX, Solaris, and Tru64; it is known to not affect
FreeBSD or Linux.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174]
Arbitrary client-supplied strings can be written to the error log
which can allow exploits of certain terminal emulators.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020]
A remotely triggered memory leak in mod_ssl can allow a denial
of service attack due to excessive memory consumption.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113]
This release is compatible with modules compiled for 2.0.42 and later
versions. We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.0.49 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.
Apache 2.0.49 Major changes
Security vulnerabilities closed since Apache 2.0.48
*) SECURITY: CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived
connection on a rarely-accessed listening socket will cause a
child to hold the accept mutex and block out new connections until
another connection arrives on that rarely-accessed listening socket.
With Apache 2.x there is no performance concern about enabling the
logic for platforms which don't need it, so it is enabled everywhere
except for Win32. [Jeff Trawick]
*) SECURITY: CAN-2004-0113 (cve.mitre.org)
mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
PR 27106. [Joe Orton]
*) SECURITY: CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog. Unescaped
errorlogs are still possible using the compile time switch
"-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, Andr???? Malo]
Bugs fixed and features added since Apache 2.0.47
*) mod_cgid: Fix storage corruption caused by use of incorrect pool.
[Jeff Trawick]
*) Win32: find_read_listeners was not correctly handling multiple
listeners on the Win32DisableAcceptEx path. [Bill Stoddard]
*) Fix bug in mod_usertrack when no CookieName is set. PR 24483.
[Manni Wood <manniwood planet-save.com>]
*) Fix some piped log problems: bogus "piped log program '(null)'
failed" messages during restart and problem with the logger
respawning again after Apache is stopped. PR 21648, PR 24805.
[Jeff Trawick]
*) Fixed file extensions for real media files and removed rpm extension
from mime.types. PR 26079. [Allan Sandfeld <kde carewolf.com>]
*) Remove compile-time length limit on request strings. Length is
now enforced solely with the LimitRequestLine config directive.
[Paul J. Reder]
*) mod_ssl: Send the Close Alert message to the peer before closing
the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton]
*) mod_ssl: Fix bug in passphrase handling which could cause spurious
failures in SSL functions later. PR 21160. [Joe Orton]
*) mod_log_config: Fix corruption of buffered logs with threaded
MPMs. PR 25520. [Jeff Trawick]
*) Fix mod_include's expression parser to recognize strings correctly
even if they start with an escaped token. [Andr?? Malo]
*) Add fatal exception hook for use by diagnostic modules. The hook
is only available if the --enable-exception-hook configure parm
is used and the EnableExceptionHook directive has been set to
"on". [Jeff Trawick]
*) Allow mod_auth_digest to work with sub-requests with different
methods than the original request. PR 25040.
[Josh Dady <jpd indecisive.com>]
*) fix "Expected </Foo>> but saw </Foo>" errors in nested,
argumentless containers.
["Philippe M. Chiasson" <gozer cpan.org>]
*) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
[Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]
*) mod_cgid: Restart the cgid daemon if it crashes. PR 19849
[Glenn Nielsen <glenn apache.org>]
*) The whole codebase was relicensed and is now available under
the Apache License, Version 2.0 (http://www.apache.org/licenses).
[Apache Software Foundation]
*) Fixed cache-removal order in mod_mem_cache.
[Jean-Jacques Clar, Cliff Woolley]
*) mod_setenvif: Fix the regex optimizer, which under circumstances
treated the supplied regex as literal string. PR 24219.
[Andr?? Malo]
*) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
instead of mmn. [Andr?? Malo]
*) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
could lead to a 400 (Bad Request) response. [Andr?? Malo]
*) Keep focus of ITERATE and ITERATE2 on the current module when
the module chooses to return DECLINE_CMD for the directive.
PR 22299. [Geoffrey Young <geoff apache.org>]
*) Add support for IMT minor-type wildcards (e.g., text/*) to
ExpiresByType. PR#7991 [Ken Coar]
*) Fix segfault in mod_mem_cache cache_insert() due to cache size
becoming negative. PR: 21285, 21287
[Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
*) core.c: If large file support is enabled, allow any file that is
greater than AP_MAX_SENDFILE to be split into multiple buckets.
This allows Apache to send files that are greater than 2gig.
Otherwise we run into 32/64 bit type mismatches in the file size.
[Brad Nicholes]
*) proxy_http fix: mod_proxy hangs when both KeepAlive and
ProxyErrorOverride are enabled, and a non-200 response without a
body is generated by the backend server. (e.g.: a client makes a
request containing the "If-Modified-Since" and "If-None-Match"
headers, to which the backend server respond with status 304.)
[Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]
*) mod_dav: Reject requests which include an unescaped fragment in the
Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
*) Build array of allowed methods with proper dimensions, fixing
possible memory corruption. [Jeff Trawick]
*) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
PR 15057. [Otmar Lendl <lendl nic.at>]
*) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
[Joe Orton]
*) mod_usertrack no longer inspects the Cookie2 header for
the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]
*) mod_usertrack no longer overwrites other cookies.
PR 26002. [Scott Moore <apache nopdesign.com>]
*) worker MPM: fix stack overlay bug that could cause the parent
process to crash. [Jeff Trawick]
*) Win32: Add Win32DisableAcceptEx directive. This Windows
NT/2000/XP directive is useful to work around bugs in some
third party layered service providers like virus scanners,
VPN and firewall products, that do not properly handle
WinSock 2 APIs. Use this directive if your server is issuing
AcceptEx failed messages.
[Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]
*) Make REMOTE_PORT variable available in mod_rewrite.
PR 25772. [Andr?? Malo]
*) Fix a long delay with CGI requests and keepalive connections on
AIX. [Jeff Trawick]
*) mod_autoindex: Add 'XHTML' option in order to allow switching between
HTML 3.2 and XHTML 1.0 output. PR 23747. [Andr?? Malo]
*) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
[Andr?? Malo]
*) mod_ssl: Advertise SSL library version as determined at run-time rather
than at compile-time. PR 23956. [Eric Seidel <seidel apple.com>]
*) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
format code is used. PR 22741. [Gary E. Miller <gem rellim.com>]
*) Fix build with parallel make. PR 24643. [Joe Orton]
*) mod_rewrite: In external rewrite maps lookup keys containing
a newline now cause a lookup failure. PR 14453.
[Cedric Gavage <cedric.gavage unixtech.be>, Andr?? Malo]
*) Backport major overhaul of mod_include's filter parser from 2.1.
The new parser code is expected to be more robust and should
catch all of the edge cases that were not handled by the previous one.
The 2.1 external API changes were hidden by a wrapper which is
expected to keep the API backwards compatible. [Andr?? Malo]
*) Add a hook (insert_error_filter) to allow filters to re-insert
themselves during processing of error responses. Enable mod_expires
to use the new hook to include Expires headers in valid error
responses. This addresses an RFC violation. It fixes PRs 19794,
24884, and 25123. [Paul J. Reder]
*) Add Polish translation of error messages. PR 25101.
[Tomasz Kepczynski <tomek jot23.org>]
*) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,
Bill Stoddard]
*) Add mod_status hook to allow modules to add to the mod_status
report. [Joe Orton]
*) Fix htdbm to generate comment fields in DBM files correctly.
[Justin Erenkrantz]
*) mod_dav: Use bucket brigades when reading PUT data. This avoids
problems if the data stream is modified by an input filter. PR 22104
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L