www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@apache.org>
Subject [ANNOUNCEMENT] Apache HTTP Server 1.3.34 Released
Date Tue, 18 Oct 2005 17:50:29 GMT

                    Apache HTTP Server 1.3.34 Released

    The Apache Software Foundation and The Apache HTTP Server Project  
are
    pleased to announce the release of version 1.3.34 of the Apache HTTP
    Server ("Apache").  This Announcement notes the significant changes
    in 1.3.34 as compared to 1.3.33.  This Announcement1.3 document may
    also be available in multiple languages at:

         http://www.apache.org/dist/httpd/

    This version of Apache is principally a bug and security fix  
release.
    A partial summary of the bug fixes is given at the end of this  
document.
    A full listing of changes can be found in the CHANGES file.  Of
    particular note is that 1.3.34 addresses and fixes 2 potential
    security issues:

      o If a request contains both Transfer-Encoding and
        Content-Length headers, remove the Content-Length, mitigating  
some
        HTTP Request Splitting/Spoofing attacks.

      o Added TraceEnable [on|off|extended] per-server directive to  
alter
        the behavior of the TRACE method.

    We consider Apache 1.3.34 to be the best version of Apache 1.3  
available
    and we strongly recommend that users of older versions,  
especially of
    the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
    releases will be made in the 1.2.x family.

    Apache 1.3.34 is available for download from:

        http://httpd.apache.org/download.cgi

    This service utilizes the network of mirrors listed at:

        http://www.apache.org/mirrors/

    Please consult the CHANGES_1.3 file for a full list of changes.

    As of Apache 1.3.12 binary distributions contain all standard Apache
    modules as shared objects (if supported by the platform) and include
    full source code.  Installation is easily done by executing the
    included install script.  See the README.bindist and INSTALL.bindist
    files for a complete explanation.  Please note that the binary
    distributions are only provided for your convenience and current
    distributions for specific platforms are not always available.   
Win32
    binary distributions are based on the Microsoft Installer (.MSI)
    technology.  While development continues to make this  
installation method
    more robust, questions should be directed to the
    news:comp.infosystems.www.servers.ms-windows newsgroup.

    For an overview of new features introduced after 1.2 please see

    http://httpd.apache.org/docs/new_features_1_3.html

    In general, Apache 1.3 offers several substantial improvements over
    version 1.2, including better performance, reliability and a wider
    range of supported platforms, including Windows NT and 2000 (which
    fall under the "Win32" label), OS2, Netware, and TPF threaded
    platforms.

    Apache is the most popular web server in the known universe; over  
half
    of the servers on the Internet are running Apache or one of its
    variants.

    IMPORTANT NOTE FOR APACHE USERS:   Apache 1.3 was designed for  
Unix OS
    variants.  While the ports to non-Unix platforms (such as Win32,  
Netware
    or OS2) are of an acceptable quality, Apache 1.3 is not optimized  
for
    these platforms.  Security, stability, or performance issues on  
these
    non-Unix ports do not generally apply to the Unix version, due to
    software's Unix origin.

    Apache 2.0 has been structured for multiple operating systems  
from its
    inception, by introducing the Apache Portability Library and MPM  
modules.
    Users on Unix and non-Unix platforms are strongly encouraged to  
move up to
    Apache 2.0 for better performance, stability and security on their
    platforms. We consider Apache 2.0.55 to be the best available  
version at
    the time of this release.  We offer Apache 1.3.34 as the best legacy
    version of Apache 1.3 available, and strongly recommend that  
users who
    require compatibility with existing Apache 1.3 installations should
    upgrade as soon as possible.  Users should first consider  
upgrading to
    the current release of Apache 2 instead.

                      Apache 1.3.34 Major changes

   Security vulnerabilities

      * SECURITY: core: If a request contains both Transfer-Encoding and
        Content-Length headers, remove the Content-Length, mitigating  
some
        HTTP Request Splitting/Spoofing attacks.  This has no impact on
        mod_proxy_http, yet affects any module which supports chunked
        encoding yet fails to prefer T-E: chunked over the Content- 
Length
        purported value.

      * Added TraceEnable [on|off|extended] per-server directive to  
alter
        the behavior of the TRACE method.  This addresses a flaw in  
proxy
        conformance to RFC 2616 - previously the proxy server would  
accept
        a TRACE request body although the RFC prohibited it.  The  
default
        remains 'TraceEnable on'.

   New features

    New features that relate to specific platforms:

      * None

    New features that relate to all platforms:

      * None

   Bugs fixed

    The following noteworthy bugs were found in Apache 1.3.33 (or  
earlier)
    and have been fixed in Apache 1.3.34:

      * hsregex: fix potential core dumping on 64 bit machines, such as
        AMD64. PR 31858.
      * mod_digest: Fix another nonce string calculation issue.



Mime
View raw message