[users@httpd] [ANNOUNCEMENT] Apache HTTP Server 1.3.34 Released

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


                   Apache HTTP Server 1.3.34 Released
The Apache Software Foundation and The Apache HTTP Server Project are 
   pleased to announce the release of version 1.3.34 of the Apache HTTP
   Server ("Apache").  This Announcement notes the significant changes
   in 1.3.34 as compared to 1.3.33.  This Announcement1.3 document may
   also be available in multiple languages at:

        http://www.apache.org/dist/httpd/
This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of this document. 
   A full listing of changes can be found in the CHANGES file.  Of
   particular note is that 1.3.34 addresses and fixes 2 potential
   security issues:

     o If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some 
       HTTP Request Splitting/Spoofing attacks.
o Added TraceEnable [on|off|extended] per-server directive to alter 
       the behavior of the TRACE method.
We consider Apache 1.3.34 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of 
   the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
   releases will be made in the 1.2.x family.

   Apache 1.3.34 is available for download from:

       http://httpd.apache.org/download.cgi

   This service utilizes the network of mirrors listed at:

       http://www.apache.org/mirrors/

   Please consult the CHANGES_1.3 file for a full list of changes.

   As of Apache 1.3.12 binary distributions contain all standard Apache
   modules as shared objects (if supported by the platform) and include
   full source code.  Installation is easily done by executing the
   included install script.  See the README.bindist and INSTALL.bindist
   files for a complete explanation.  Please note that the binary
   distributions are only provided for your convenience and current
distributions for specific platforms are not always available. Win32 
   binary distributions are based on the Microsoft Installer (.MSI)
technology. While development continues to make this installation method 
   more robust, questions should be directed to the
   news:comp.infosystems.www.servers.ms-windows newsgroup.

   For an overview of new features introduced after 1.2 please see

   http://httpd.apache.org/docs/new_features_1_3.html

   In general, Apache 1.3 offers several substantial improvements over
   version 1.2, including better performance, reliability and a wider
   range of supported platforms, including Windows NT and 2000 (which
   fall under the "Win32" label), OS2, Netware, and TPF threaded
   platforms.
Apache is the most popular web server in the known universe; over half 
   of the servers on the Internet are running Apache or one of its
   variants.
IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS variants. While the ports to non-Unix platforms (such as Win32, Netware or OS2) are of an acceptable quality, Apache 1.3 is not optimized for these platforms. Security, stability, or performance issues on these 
   non-Unix ports do not generally apply to the Unix version, due to
   software's Unix origin.
Apache 2.0 has been structured for multiple operating systems from its inception, by introducing the Apache Portability Library and MPM modules. Users on Unix and non-Unix platforms are strongly encouraged to move up to 
   Apache 2.0 for better performance, stability and security on their
platforms. We consider Apache 2.0.55 to be the best available version at 
   the time of this release.  We offer Apache 1.3.34 as the best legacy
version of Apache 1.3 available, and strongly recommend that users who 
   require compatibility with existing Apache 1.3 installations should
upgrade as soon as possible. Users should first consider upgrading to 
   the current release of Apache 2 instead.

                     Apache 1.3.34 Major changes

  Security vulnerabilities

     * SECURITY: core: If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some 
       HTTP Request Splitting/Spoofing attacks.  This has no impact on
       mod_proxy_http, yet affects any module which supports chunked
encoding yet fails to prefer T-E: chunked over the Content- Length 
       purported value.
* Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method. This addresses a flaw in proxy conformance to RFC 2616 - previously the proxy server would accept a TRACE request body although the RFC prohibited it. The default 
       remains 'TraceEnable on'.

  New features

   New features that relate to specific platforms:

     * None

   New features that relate to all platforms:

     * None

  Bugs fixed
The following noteworthy bugs were found in Apache 1.3.33 (or earlier) 
   and have been fixed in Apache 1.3.34:

     * hsregex: fix potential core dumping on 64 bit machines, such as
       AMD64. PR 31858.
     * mod_digest: Fix another nonce string calculation issue.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux