全球最多網站主機使用的免費伺服器軟體Apache(10月4日的統計,佔有率達到全球網站主機的69.89%),日前繼推出2.0.55版本後,針對一代的Apache(目前也是最多人用的),釋出Apache 1.3.34,取代原先的1.3.33。
Apache 1.3.34主要是更新兩個重要的1.3.33的安全性問題,Apache官方建議所有Apache 1系列的網站更新,他們也推薦網站可以升級使用效率更好、功能更多的Apache 2.0.55。
目前全球7440萬個網站中,有超過5200萬台伺服器使用Apache系列伺服器軟體,微軟的IIS系列佔20.55%,SUN的佔有率為2.54%,其它的則不到0.79%。
Apache 1.3.34比起1.3.33,更新列表如下(大多是安全性更新):
*) hsregex: fix potential core dumping on 64 bit machines, such as
AMD64. PR 31858. [Glenn Strauss < gs-apache-dev gluelogic.com>]
*) SECURITY: core: If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some
HTTP Request Splitting/Spoofing attacks. This has no impact on
mod_proxy_http, yet affects any module which supports chunked
encoding yet fails to prefer T-E: chunked over the Content-Length
purported value. [Paul Querna, Joe Orton]
*) Added TraceEnable [on|off|extended] per-server directive to alter
the behavior of the TRACE method. This addresses a flaw in proxy
conformance to RFC 2616 – previously the proxy server would accept
a TRACE request body although the RFC prohibited it. The default
remains 'TraceEnable on'.
[William Rowe]
*) mod_digest: Fix another nonce string calculation issue.
[Eric Covener]
