Apache 2.0.55正式版推出

Posted by

Apache 2.0.55正式版推出



Apache 2.0.55正式版比起2.0.54,更新列表如下(大多是安全性更新和效率改進):

*) SECURITY: CAN-2005-2700 (cve.mitre.org)
mod_ssl: Fix a security issue where "SSLVerifyClient" was not
enforced in per-location context if "SSLVerifyClient optional"
was configured in the vhost configuration. [Joe Orton]

*) worker MPM: Fix a memory leak which can occur after an aborted
connection in some limited circumstances. [Greg Ames]

*) mod_ldap: Fix PR 36563. Keep track of the number of attributes
retrieved from LDAP so that all of the values can be properly
cached even if the value is NULL.
[Brad Nicholes, Ondrej Sury <ondrej sury.org>]

*) SECURITY: CAN-2005-2491 (cve.mitre.org):
Fix integer overflows in PCRE in quantifier parsing which could
be triggered by a local user through use of a carefully-crafted
regex in an .htaccess file. [Philip Hazel]

*) SECURITY: CAN-2005-2088 (cve.mitre.org)
proxy: Correctly handle the Transfer-Encoding and Content-Length
headers. Discard the request Content-Length whenever T-E: chunked
is used, always passing one of either C-L or T-E: chunked whenever
the request includes a request body. Resolves an entire class of
proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]

*) Added TraceEnable [on|off|extended] per-server directive to alter
the behavior of the TRACE method. This addresses a flaw in proxy
conformance to RFC 2616 – previously the proxy server would accept
a TRACE request body although the RFC prohibited it. The default
remains 'TraceEnable on'. [William Rowe]

*) Add ap_log_cerror() for logging messages associated with particular
client connections. [Jeff Trawick]

*) Correct mod_cgid's argv[0] so that the full path can be delved by the
invoked cgi application, to conform to the behavior of mod_cgi.
[Pradeep Kumar S <pradeep.smani gmail.com>]

*) mod_include: Fix possible environment variable corruption when
using nested includes. PR 12655. [Joe Orton]

*) Support the suppress-error-charset setting, as with Apache 1.3.x.
PR 31274. [Jeff Trawick]

*) EBCDIC: Handle chunked input from client or, with proxy, origin
server. [Jeff Trawick]

*) Fix bad globbing comparison which could result in getting
a directory listing when a file was requested. PR 34512.
[sean <infamous41md hotmail.com>]

*) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
was called even if mod_auth_ldap_check_user_id() was not
(or if it didn't succeed) for non-authoritative cases.
[Jim Jagielski]

*) SECURITY: CAN-2005-2728 (cve.mitre.org)
Fix cases where the byterange filter would buffer responses
into memory. PR 29962. [Joe Orton]

*) mod_proxy: Fix over-eager handling of '%' for reverse proxies.
PR 15207. [Jim Jagielski]

*) mod_ldap: Fix various shared memory cache handling bugs.
PR 34209. [Joe Orton]

*) Fix a file descriptor leak when starting piped loggers. PR 33748.
[Joe Orton]

*) mod_ldap: Avoid segfaults when opening connections if using a version
of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes]

*) mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe]

*) SECURITY: CAN-2005-2088 (cve.mitre.org)
core: If a request contains both Transfer-Encoding and Content-Length
headers, remove the Content-Length, mitigating some HTTP Request
Splitting/Spoofing attacks. [Paul Querna, Joe Orton]

*) proxy HTTP: If a response contains both Transfer-Encoding and a
Content-Length, remove the Content-Length and don't reuse the
connection, mitigating some HTTP Response Splitting attacks.
[Jeff Trawick]

*) Prevent hangs of child processes when writing to piped loggers at
the time of graceful restart. PR 26467. [Jeff Trawick]

*) SECURITY: CAN-2005-1268 (cve.mitre.org)
mod_ssl: Fix off-by-one overflow whilst printing CRL information
at "LogLevel debug" which could be triggered if configured
to use a "malicious" CRL. PR 35081. [Marc Stern <mstern csc.com>]

*) mod_userdir: Fix possible memory corruption issue. PR 34588.
[David Leonard <dleonard vintela.com>]

*) worker mpm: don't take down the whole server for a transient
thread creation failure. PR 34514 [Greg Ames]

*) mod_rewrite: use buffered I/O to improve performance with large
RewriteMap txt: files. [Greg Ames]

*) proxy HTTP: Rework the handling of request bodies to handle
chunked input and input filters which modify content length, and
avoid spooling arbitrary-sized request bodies in memory.
PR 15859. [Jeff Trawick]

一直很喜歡的緞帶教堂 Ribbon Chapel
2005 年 10 月