www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject [Announce] Apache 1.3.20 Released
Date Mon, 21 May 2001 22:17:20 GMT

                            Apache 1.3.20 Released
                                       
   The Apache Software Foundation and The Apache Server Project are
   pleased to announce the release of version 1.3.20 of the Apache HTTP
   server.
   
   This version of Apache is principally a security fix release which
   closes a problem under the Windows and OS2 ports that would segfault
   the server in response to a carefully constructed URL.  It also fixes
   some potential configuration quirks present in the 1.3.19 release.  
   A summary of the new features is given at the end of this document.
   
   We consider Apache 1.3.20 to be the best version of Apache available
   and we strongly recommend that users of older versions, especially of
   the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
   releases will be made in the 1.2.x family.
   
   Apache 1.3.20 is available for download from
   
     http://httpd.apache.org/dist/httpd/
     
   Please see the CHANGES_1.3 file in the same directory for a full list
   of changes.
   
   Binary distributions are available from
   
     http://httpd.apache.org/dist/httpd/binaries/
     
   The source and binary distributions are also available via any of the
   mirrors listed at
   
     http://www.apache.org/mirrors/
     
   Apache 1.3.20 for Win32 and OS2 corrects a serious denial of service 
   vulnerability, and users are strongly discouraged from using any 
   previous versions on those platforms.
   
   As of Apache 1.3.17, Win32 binary distributions are now based on the
   Microsoft Installer (.MSI) technology.  This change occured in order
   to resolve the many problems WinME and Win2K users experienced with
   the older InstallShield-based installer .exe file.  While development
   continues to make this new installation method more robust, questions
   should be directed at the news:comp.infosystems.www.servers.ms-windows
   newsgroup.  

   As of Apache 1.3.12 binary distributions contain all standard Apache
   modules as shared objects (if supported by the platform) and include
   full source code. Installation is easily done by executing the
   included install script. See the README.bindist and INSTALL.bindist
   files for a complete explanation. Please note that the binary
   distributions are only provided for your convenience and current
   distributions for specific platforms are not always available.
   
   For an overview of new features introduced after 1.2 please see
   
     http://httpd.apache.org/docs/new_features_1_3.html
     
   In general, Apache 1.3 offers several substantial improvements over
   version 1.2, including better performance, reliability and a wider
   range of supported platforms, including Windows 95/98 and NT (which
   fall under the "Win32" label), OS2, Netware, and TPE threaded platforms.
   
   Apache is the most popular web server in the known universe; over half
   of the servers on the Internet are running Apache or one of its
   variants.
   
   IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have come
   to trust Apache as a secure and stable server. It must be realized
   that the current Win32 code has not yet reached the levels of the Unix
   version, but is of acceptable quality.  Win32 stability or security 
   problems do not reflect on the Unix version.
   
                         Apache 1.3.20  Major changes

   The primary security fix is:
     * A carefully constructed URI could cause the server to segfault on
       Win32 and OS2, denying access to users until the error was cleared.
       This is resolved on both platforms, no server data vulnerability
       was identified for this denial of service exploit.
                                            
   The general bug fixes:
     * Eliminate a potential segfault if an invalid floating point value
       is passed to the ap_snprintf() function, on platforms supporting
       isnan() and isinf().
     * Fix a possible segfault at startup in the detection of a default
       ServerName or IP string when no ServerName was specified.
     * Fixed mod_proxy to retain empty headers, as allowed by RFC2068.
     * Properly resolve the location of ndbm on Linux and some glibc2
       builds, where ndbm.h is in the nonstandard db1/ subdir.

   Win32 bug fixes:
     * Win32 now properly handles the SSI exec cmd tag.  Due to argument
       parsing issues with spaces and slashes, cmd is interpreted as an 
       executable file, not a long command line string.
     * Resolved a threading problem with WinNT/2K services, allowing
       modules such as mod_jserv and mod_perl to shut down cleanly.
     * Resolved stdin and stdout pipes for the parent Win32 service 
       process, solving bugs such as "dup2(stdin) failed" when trying 
       to use piped logs.  

   Netware specific bug fixes:
     * Netware initial screen allows the -s parameter to switch to the 
       system console screen, warning messages during startup are now 
       displayed.
     * Netware added '.' and '..' to the directory listing so mod_autoindex 
       will now display the parent directory.
     * NetWare now shuts down cleanly in error conditions, such as a failure
       while reading the httpd.conf file.

   The main new features include:
     * Enhanced rotatelogs to allow a UTC offset to be specified, and
       the format logfile names with human-readable date/time stamps.
     * Added the NOESCAPE (NS) flag to RewriteRule, to disable *all* 
       normal URI escaping.  Note incautious use can give unexpected 
       results or introduce security risks.
     * Added the '\' character to RewriteRule to allow escaping of 
       special characters.  Allows embedding of both the '$' and '%' 
       characters in the results, so 'foo\$1' translates to 'foo$1' 
       rather than 'foo\<value of $1>'.
     * Added the -V flag to suexec, to display the compile-time settings
       with which it was built.  (Only valid for root or the HTTPD_USER 
       username.)          
     * Introduced EBCDIC conversion configuration options, controlling the 
       conversion based on MIME type or file suffix.
     * Support for the Cygwin 1.x platform (a POSIX emulation layer for 
       Win32 systems, see http://www.cygwin.com).  Note this is an entirely
       different implementation than the native calls in the win32 port.
     * Support for building modules with apxs under Win32.  cygwin builders 
       must use a cygwin build of perl to avoid MSVC handling.





---------------------------------------------------------------------
You have received this mail because you are subscribed to the
announce@apache.org mailing list.
To unsubscribe, e-mail: announce-unsubscribe@apache.org
For additional commands, e-mail: announce-help@apache.org


Mime
View raw message