Apache 2.0.40 released

Published by

Some time ago, a new Apache HTTP Server Beta has been released with a huge list of bugfixes The latest stable build of Apache Server is 2.0.40. Read More for the changes and download Some time ago, a new Apache HTTP Server Beta has been released. The latest stable build of Apache Server is 2.0.40.

Apache Homepage

Direct Download


Changes with Apache 2.0.40

-Close a very significant security hole that applies only to the Win32, OS2 and Netware platforms. Unix was not affected, Cygwin may be affected. Certain URIs will bypass security and allow users to invoke or access any file depending on the system configuration. Without upgrading, a single .conf change will close the vulnerability. Add the following directive in the global server httpd.conf context before any other Alias or Redirect directives

-Close a path-revealing exposure in multiview type map negotiation (such as the default error documents) where the module would report the full path of the typemapped .var file when multiple documents or no documents could be served based on the mime negotiation

-Close a path-revealing exposure in cgi/cgid when we fail to invoke a script. The modules would report "couldn't create child process /path-to-script/script.pl" revealing the full path of the script.

Set aside the apr-iconv and apr_xlate() features for the Win32 build of 2.0.40 so development can be completed. A patch, from - will be available for those that wish to work with apr-iconv.

-Fix proxy so that it is possible to access ftp: URLs via a proxy chain.

-mod-deflate now checks to make sure that 'gzip-only-text/html' is set to 1, so we can exclude things from the general case with browsermatch.

-Accept multiple leading /'s for requests within the DocumentRoot.

-Solved the reports of .pdf byterange failures on Win32 alone. APR's sendfile for the win32 platform collapses header and trailer buffers into a single buffer. However, we destroyed the pointers to the header buffer if a trailer buffer was present.

-Add the ability to enable or disable a filter via an environment variable. Add the ability to register a filter of type other than AP_FTYPE_RESOURCE.

-Restore the ability to specify host names on Listen directives.

-When deciding on the default address family for listening sockets, make sure we can actually bind to an AF_INET6 socket before deciding that we should default to AF_INET6. This fixes a startup problem on certain levels of OpenUNIX.

-Replace usage of atol() to parse strings when we might want a larger-than-long value with apr_atoll(), which returns long long. This allows HTTPD to deal with larger files correctly.

-Ignore any content-type parameters when checking if the response should be filtered. Previously, "intype=text/html" wouldn't match something like "text/html;charset=8859_1".

-Set up environment variables for external programs.

-Modified the HTTP_IN filter to immediately append the EOS (end of stream) bucket for C-L POST bodies, saving a roundtrip and allowing the caller to determine that no content remains without prefetching additional POST body.

-Get proxy ftp to work over IPv6.

-Look for OpenSSL libraries in /usr/lib64.

-Update SuSE layout.

-Changes to the internationalized error documents: Comment them out in the default config file to make the default install as simple as possible; Correct the english 500 error to be more understandable; Add a Swedish translation.

-Increase the limit on file descriptors per process in apachectl.

-Fix a dependency error when building ApacheMonitor, so that Win32 and MSVC now trust that the project is current (when it is).

-mod_ext_filter: don't segfault if content-type is not set.

-APR-Util Renames pending have been completed

-Performance improvements for the code that reads request headers (ap_rgetline_core() and related functions)

-MaxMemFree. MaxMemFree makes it possible to configure the maximum amount of memory the allocators will hold on to for reuse. Anything over the MaxMemFree threshold will be free()d. This directive is useful when uncommon large peaks occur in memory usage. It should _not_ be used to mask defective modules' memory use.

-Fixed the Content-Length filter so that HTTP/1.0 requests to CGI scripts would not result in a truncated response.

-Add a filter_init parameter to the filter registration functions so that a filter can execute arbitrary code before the handlers are invoked. This resolves a problem where mod_include requests would incorrectly return a 304.

-Fix a long-standing bug in 2.0, CGI scripts were being called with relative paths instead of absolute paths. Apache 1.3 used absolute paths for everything except for SuExec, this brings back that standard.

-Fix infinite loop due to two HTTP_IN filters being present for internally redirected requests.

-Switch conn_rec->keepalive to an enumeration rather than a bitfield.

-Fix mod_ext_filter to look in the main server for filter definitions when running in a vhost if the filter definition is not found in the vhost.

-Support WinNT CGI invocation through ScriptInterpreterSource 'registry' for script interpreter paths and names with non-ascii characters in the executable filepath.

-Support the -w flag on to keep the Win32 console open on error.

-Normalize the hostname value in the request_rec to all-lowercase

-Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include extended characters (non US-ASCII) in non-utf8 format. This brings Win32 back into CGI/1.1 compliance, and leaves charset decoding up to the cgi application itself.

-Major overhaul of mod_dav, mod_dav_fs and the experimental/cache modules to bring them up to the current apr/apr-util APIs.

-Fix segfault in mod_mem_cache most frequently observed when serving the same file to multiple clients on an MP machine.

-mod_rewrite can now set cookies (RewriteRule (.*) - [CO=name:$1:.domain])

-Fix perchild to work with apachectl by adding -k support to perchild.

-Fix a silly htpasswd.c logic error that incorrectly reported that both -c and -n had been used.

-Fixed a mod_include error case in which no HTTP response was sent to the client if an shtml document contained an unterminated SSI directive.

-Improve ap_get_client_block implementation by using APR-util brigade helper functions and relying on current filter assumptions.