httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject [Security Release] Apache HTTP Server 2.0.43
Date Thu, 03 Oct 2002 19:39:50 GMT

                            Apache 2.0.43 Released

   The Apache Software Foundation and The Apache Server Project are 
   pleased to announce the sixth public release of the Apache 2.0 
   HTTP Server.  This Announcement notes the significant changes in 
   2.0.43, as compared to 2.0.42.

   This version of Apache is principally a security and bug fix release. 
   A summary of the bug fixes is given at the end of this document.
   Of particular note is that 2.0.43 addresses and fixes two security

   CAN-2002-0840 ([1]: Apache is susceptible to a cross site
   scripting vulnerability in the default 404 page of any web server hosted
   on a domain that allows wildcard DNS lookups.  We thank Matthew Murphy 
   for notification of this issue.

   Bug ID 13025[2]: Apache would serve script source code for POST requests 
   when the DAV On directive enabled mod_dav for a given resource.  We thank 
   Sander Holthaus for notification of this issue.

   We consider this release to be the best version of Apache available
   and encourage users of all prior versions to upgrade.

   Apache 2.0.43 is available for download from

   Please see the CHANGES_2.0 file in the same directory for a full list
   of changes.

   Binary distributions are available from

   The source and binary distributions are also available via any of the
   mirrors listed at

   Apache 2.0 offers numerous enhancements, improvements, and performance
   boosts over the 1.3 codebase.  The most visible and noteworthy addition
   is the ability to run Apache in a hybrid thread/process mode on any
   platform that supports both threads and processes.  This has been shown
   to improve the scalability of the Apache HTTP Server significantly in
   our testing.  Apache 2.0 also includes support for filtered I/O.  This
   allows modules to modify the output of other modules before it is
   sent to the client.  We have also included support for IPv6 on any
   platform that supports IPv6.

   For an overview of new features introduced after 1.3 please see

   This version of Apache is known to work on many versions of Unix, BeOS,
   OS/2, Windows, and Netware.  Because of the many advances in Apache
   2.0, it is expected to perform equally well on all supported platforms.
   Apache 2.0 has been running on the website since December
   of 2000 and has proven to be very reliable.

   When upgrading or installing this version of Apache, please keep 
   in mind the following:

   This release is binary-compatible only with 2.0.42, and no other previous 
   releases.  All modules must be recompiled in order to work with this 
   version.  For example, a module compiled to work with 2.0.40 will not 
   work with 2.0.43.

   This release does not include the new mod_logio, contrary to the 
   documentation in the CHANGES and manual included in this release.
   That module will be included in the next public release of Apache 2.0.
   We regret the confusion.

   Users of this release on Darwin 6.1 (including Mac OS X 10.2, a.k.a. 
   "Jaguar") must add --disable-ipv6 when invoking the ./configure script, 
   to avoid a potential security exposure related to IPv6 support on that 

   If you intend to use Apache with one of the threaded MPMs, you must
   ensure that the modules (and the libraries they depend on) that you
   will be using are thread-safe.  Please contact the vendors of
   these modules to obtain this information.

   IMPORTANT NOTE FOR APACHE USERS:   Apache 2.0 has been structured for 
   multiple operating systems from its inception, by introducing the 
   Apache Portability Library and MPM modules.  Users on non-Unix platforms 
   are strongly encouraged to move up to Apache 2.0 for better performance, 
   stability and security on their platforms.

   Apache is the most popular web server in the known universe; over half
   of the servers on the Internet are running Apache or one of its

                     Apache 2.0.43 Major changes

  Security vulnerabilities closed since Apache 2.0.42

     * Fixed the security vulnerability noted in CAN-2002-0840 (
       regarding a cross-site scripting vulnerability in the default error
       page when using wildcard DNS.

     * Prevent POST requests for CGI scripts from serving the source code
       when DAV is enabled on the location.

  Bugs fixed since Apache 2.0.42

     * Fixed a core dump in mod_cache when it attemtped to store uncopyable
       buckets, such as a file containing SSI tags to execute a CGI script.

     * Ensured that output already available is flushed to the network
       to help some streaming CGIs and other dynamically-generated content.

     * Fixed a mutex problem in mod_ssl dbm session cache support.

     * Allow the UserDir directive to accept a list of directories, as in 1.3.

     * Changed SuExec to use the same default directory as the rest of the
       server, e.g. /usr/local/apache2.

     * Retry connections with mod_auth_ldap on LDAP_SERVER_DOWN errors.

     * Pass the WWW-Authenticate header on a 4xx responses from the proxy.

     * Fixed mod_cache's CacheMaxStreamingBuffer directive within virtual hosts.

     * Add -p option to apxs to allow programs to be compiled with apxs.



Version: PGP 6.5.8


View raw message