Yblog = yourblog,你的優質部落格。願真田幸村紅鎧策馬赤備突擊的身影,帶給我們更多的勇氣。
星期二, 一月 22, 2008
Apache 2.2.8開放下載

全球最多網站主機使用的免費伺服器軟體Apache HTTPD,在日前正式推出了安全性更新版本Apache 2.2.8,取代原先的2.2.6,中間的2.2.7沒有對外發表,同樣也是安全性更新版本,2.2.8只是2.2.7的小量修正版本,主要的安全性問題修正都還是2.2.7版以來的基礎。

Apache官方自然還是建議所有使用Apache網頁伺服器軟體的網站進行Apache HTTPD更新。

這次Apache Httpd官方也推出舊產品Apache 2.0系列版本的更新版本Apache 2.0.63

而針對更舊產品Apache 1.0系列的用戶,也同步更新到Apache 1.3.41

Apache 2.2.8下載連結

Apache 2.2.8正式版與先前2.2.7的更新列表如下(大多是安全性更新和效率改進):

Changes with Apache 2.2.8

*) core: Fix regression in 2.2.7 in chunk filtering with massively
chunked requests. [Ruediger Pluem, Nick Kew]

*) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
to /Device/Nul as the server is starting up, mirroring unix MPM's.
PR: 43534 [Tom Donovan <Tom.Donovan acm.org>, William Rowe]

*) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
by recreating the bucket allocator each time the trans pool is cleared.
PR: 11427 #16 (follow-on) [Tom Donovan <Tom.Donovan acm.org>]

*) mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals.
PR 38034 [Paritosh Shah <shah.paritosh gmail.com>]

Changes with Apache 2.2.7 (not released)

*) SECURITY: CVE-2007-6421 (cve.mitre.org)
mod_proxy_balancer: Correctly escape the worker route and the worker
redirect string in the HTML output of the balancer manager.
Reported by SecurityReason. [Ruediger Pluem]

*) SECURITY: CVE-2007-6422 (cve.mitre.org)
Prevent crash in balancer manager if invalid balancer name is passed
as parameter. Reported by SecurityReason. [Ruediger Pluem]

*) SECURITY: CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason. [Mark Cox, Joe Orton]

*) SECURITY: CVE-2007-5000 (cve.mitre.org)
mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
[Joe Orton]

*) SECURITY: CVE-2008-0005 (cve.mitre.org)
Introduce the ProxyFtpDirCharset directive, allowing the administrator
to identify a default, or specific servers or paths which list their
contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]

*) mod_dav: Adjust etag generation to produce identical results on 32-bit
and 64-bit platforms and avoid a regression with conditional PUT's on lock
and etag. PR 44152.
[Michael Clark <michael metaparadigm.com>, Ruediger Pluem]

*) mod_ssl: Fix handling of the buffered request body during a per-location
renegotiation, when an internal redirect occurs. PR 43738.
[Joe Orton]

*) mod_ldap: Try to establish a new backend LDAP connection when the
Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the
LDAP server has closed the connection due to a timeout.
PR 39095 [Eric Covener]

*) log.c: Ensure Win32 resurrects its lost robust logger processes.
[William Rowe]

*) mod_disk_cache: Delete temporary files if they cannot be renamed to their
final name. [Davi Arnaut <davi haxent.com.br>]

*) Add explicit charset to the output of various modules to work around
possible cross-site scripting flaws affecting web browsers that do not
derive the response character set as required by RFC2616. One of these
reported by SecurityReason [Joe Orton]

*) http_protocol: Escape request method in 405 error reporting.
This has no security impact since the browser cannot be tricked
into sending arbitrary method strings. [Jeff Trawick]

*) mod_ssl: Fix SSL client certificate extensions parsing bug. PR 44073.
[yl <yl bee-ware.net>]

*) mod_proxy_ajp: Use 64K as maximum AJP packet size. This is the maximum
length we can squeeze inside the AJP message packet.
[Mladen Turk]

*) core: Lower memory consumption of ap_r* functions by reusing the brigade
instead of recreating it during each filter pass.
[Stefan Fritsch <sf sfritsch.de>]

*) core: Lower memory consumption in case that flush buckets are passed thru
the chunk filter as last bucket of a brigade. PR 23567.
[Stefan Fritsch <sf sfritsch.de>]

*) core: Fix broken chunk filtering that causes all non blocking reads to be
converted into blocking reads. PR 19954, 41056.
[Jean-Frederic Clere, Jim Jagielski]

*) mod_rewrite: Add the novary flag to RewriteCond.
[Ruediger Pluem]

*) core: Change etag generation to produce identical results on
32-bit and 64-bit platforms. PR 40064. [Joe Orton]

*) http_protocol: Escape request method in 413 error reporting.
Determined to be not generally exploitable, but a flaw in any case.
PR 44014 [Victor Stinner <victor.stinner inl.fr>]

*) mod_filter: Don't segfault on (unsupported) chained FilterProvider usage.
PR 43956 [Nick Kew, Ruediger Pluem]

*) core: Handle unrecognised transfer-encodings.
PR 43882 [Nick Kew, Jeff Trawick]

*) mod_include: Add an "if" directive syntax to test whether an URL
is accessible, and if so, conditionally display content. This
allows a webmaster to hide a link to a private page when the user
has no access to that page. [Graham Leggett]

*) Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009
[Christophe Jaillet <christophe.jaillet wanadoo.fr>]

*) mod_proxy_http: Correctly forward unexpected interim (HTTP 1xx)
responses from the backend according to RFC2616. But make it
configurable in case something breaks on it.
PR 16518 [Nick Kew]

*) mod_substitute: Added a new output filter, which performs
inline response content pattern matching (including regex)
and substitution. [Jim Jagielski, Ruediger Pluem]

*) rotatelogs: Change command-line parsing to report more types
of errors. Allow local timestamps to be used when rotating based
on file size. [Jeff Trawick]

*) mod_proxy: Canonicalisation improvements. Add "nocanon" keyword to
ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also,
don't escape/unescape forward-proxied URLs.
PR 41798, 42592 [Nick Kew, Ruediger Pluem, Roy Fielding, Jim Jagielski]

*) mod_status: Add SeeRequestTail directive, which determines if
ExtendedStatus displays the 1st 63 characters of the request
or the last 63. Useful for those requests with large string
lengths and which only vary with the last several characters.
[Jim Jagielski]

*) mod_ssl: Prevent memory corruption of version string.
PR 43865, 43334 [William Rowe, Joe Orton]

*) core: Avoid some unexpected connection closes by telling the client
that the connection is not persistent if the MPM process handling
the request is already exiting when the response header is built.
[Jeff Trawick]

*) mod_autoindex: Generate valid XHTML output by adding the xhtml
namespace. PR 43649 [Jose Kahan <jose w3.org>]

*) mod_ldap: Give callers a reference to data copied into the request
pool instead of references directly into the cache
PR 43786 [Eric Covener]

*) mod_ldap: Stop passing a reference to pconf around for
(limited) use during request processing, avoiding possible
memory corruption and crashes. [Eric Covener]

*) Event MPM: Add support for running under mod_ssl, by reverting to the
Worker MPM behaviors, when run under an input filter that buffers
its own data. [Paul Querna]

*) mod_charset_lite: Don't crash when the request has no associated
filename. [Jeff Trawick]

*) Core: fix possible crash at startup in case of nonexistent DocumentRoot.
PR 39722 [Adrian Buckley <adrian.buckley ntlworld.com>]

*) HTTP protocol: Add "DefaultType none" option.
PR 13986 and PR 16139 [Nick Kew]

*) mod_rewrite: Add option to suppress URL unescaping
PR 34602 [Guenther Gsenger <guenther.gsenger gmail.com>]

*) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean
shutdown of the server when the MaxClients is higher then 257,
in a more responsive manner [Mladen Turk, William Rowe]

*) mod_proxy_http: Remove Warning headers with wrong date
PR 16138 [Nick Kew]

*) mod_proxy_http: Correctly parse all Connection headers in proxy.
PR 43509 [Nick Kew]

*) mod_proxy_http: add Via header correctly (if enabled) to
response, even where other Via headers exist.
PR 19439 [Nick Kew]

*) http_core: OPTIONS * no longer maps to local storage or URI
space. Note that unlike previous versions, OPTIONS * no
longer returns an Allow: header. PR 43519 [Jim Jagielski]

*) mod_proxy_http: strip hop-by-hop response headers
PR 43455 [Nick Kew]

*) mod_proxy: Don't by default violate RFC2616 by setting
Max-Forwards when the client didn't send it to us.
Leave that as a configuration option.
PR 16137 [Nick Kew]

*) scoreboard: improve error message on apr_shm_create failure
PR 40037 [Nick Kew]

*) proxy: Fix persistent backend connections.
PR 43472 [Ruediger Pluem]

*) mod_deflate: initialise inflate-out filter correctly when the
first brigade contains no data buckets.
PR 43512 [Nick Kew]

*) mod_proxy_ajp: Ignore any ajp13 flush packets received before
we send the response headers. See Tomcat PR 43478.
[Jim Jagielski]

*) mod_proxy_balancer: Do not reset lbstatus, lbfactor and lbset when
starting a new child.
PR 39907 [Vinicius Petrucci <vpetrucci gmail.com>, Ruediger Pluem]

*) mod_proxy_http: Propagate Proxy-Authorization header correctly.
PR 25947 [Nick Kew]

*) mod_proxy_ajp: Differentiate within AJP between GET and HEAD
requests. PR 43060 [Jim Jagielski]

*) Don't send spurious "100 Continue" response lines.
PR 38014 [Basant Kumar Kukreja <basant.kukreja sun.com>]

*) mod_proxy_ftp: Don't segfault on bad line in FTP listing
PR 40733 [Ulf Harnhammar <metaur telia.com>]

*) mod_proxy: escape error-notes correctly
PR 40952 [Thijs Kinkhorst <thijs debian.org>]

*) mod_proxy: check ProxyBlock for all blocked addresses
PR 36987 [Timo Viipuri <timo.viipuri f-secure.com>]

*) mod_proxy: Don't lose bytes when a response line arrives in small chunks.
PR 40894 [Andrew Rucker Jones <arjones simultan.dyndns.org>]
More... funp HemiDemi MyShare del.icio.us technorati Google Bookmarks Digg
ivan 發表於 12:15 AM | 文章分類: 數位科技, www | 標籤列表:

迴響留言
尚無迴響

張貼迴響:
名稱
電子郵件
網址



請輸入你在圖片中看到的文字
引用列表
本篇文章引用網址: http://yblog.org/api/trackback/?id=7940
沒有引用










Collablog Portal enabled