httpd-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject [Announce] Apache HTTP Server 2.0.55 Released
Date Fri, 14 Oct 2005 17:48:38 GMT
                   Apache HTTP Server 2.0.55 Released

   The Apache Software Foundation and The Apache HTTP Server Project are
   pleased to announce the release of version 2.0.55 of the Apache HTTP
   Server ("Apache").  This Announcement notes the significant changes
   in 2.0.55 as compared to 2.0.55.  This Announcement2.0 document may 
   also be available in multiple langages at:

   This version of Apache is principally a security release.  The
   following potential security flaws are addressed, the first three 
   of which address several classes of HTTP Request and Response 
   Splitting/Spoofing attacks;

   CAN-2005-2088 (

     core: If a request contains both Transfer-Encoding and Content-Length
     headers, remove the Content-Length.

     proxy_http: Correctly handle the Transfer-Encoding and Content-Length
     request headers.  Discard the request Content-Length whenever chunked
     T-E is used, always passing one of either C-L or T-E chunked whenever 
     the request includes a request body.


     proxy_http: If a response contains both Transfer-Encoding and a 
     Content-Length, remove the Content-Length and don't reuse the

   CAN-2005-2700 (

     mod_ssl: Fix a security issue where "SSLVerifyClient" was not
     enforced in per-location context if "SSLVerifyClient optional"
     was configured in the vhost configuration.

   CAN-2005-2491 (
     pcre: Fix integer overflows in PCRE in quantifier parsing which 
     could be triggered by a local user through use of a carefully
     crafted regex in an .htaccess file.

   CAN-2005-2728 (

     Fix cases where the byterange filter would buffer responses
     into memory.

   CAN-2005-1268 (

     mod_ssl: Fix off-by-one overflow whilst printing CRL information
     at "LogLevel debug" which could be triggered if configured 
     to use a "malicious" CRL.

   The Apache HTTP Project thanks all of the reporters of these
   issues and vulnerabilities for the responsible reporting and
   thorough analysis of these vulnerabilities.

   This release further addresses a number of cross-platform bugs,
   as well as specific issues on OS/X 10.4, Win32, AIX as well as
   all EBCDIC platforms, and adds compatibility with OpenSSL 0.9.8.

   This release is compatible with modules compiled for 2.0.42 and
   later versions.  We consider this release to be the best version
   of Apache available and encourage users of all prior versions to

   This release includes the Apache Portable Runtime library suite
   release version 0.9.7, bundled with the tar and zip distributions.
   These libraries; libapr, libaprutil, and on Win32, libapriconv must
   all be updated to ensure binary compatibility and address many
   known platform bugs.

   Apache HTTP Server 2.0.55 is available for download from

   Please see the CHANGES_2.0 file, linked from the above page, for
   a full list of changes.  A condensed list, CHANGES_2.0.55 provides
   the complete list of changes since 2.0.54, including changes to 
   the APR suite of libraries.

   Apache 2.0 offers numerous enhancements, improvements, and performance
   boosts over the 1.3 codebase.  For an overview of new features introduced
   after 1.3 please see

   When upgrading or installing this version of Apache, please keep
   in mind the following:  If you intend to use Apache with one of the 
   threaded MPMs, you must ensure that the modules (and the libraries 
   they depend on) that you will be using are thread-safe.  Please 
   refer to the documentation of these modules and libraries to obtain 
   this information.

View raw message