Apache 2.0.48 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the eleventh public release of the Apache 2.0
   HTTP Server.  This Announcement notes the significant changes in
   2.0.48 as compared to 2.0.47.

   This version of Apache is principally a bug fix release.  A summary of
   the bug fixes is given at the end of this document.  Of particular
   note is that 2.0.48 addresses two security vulnerabilities:

   mod_cgid mishandling of CGI redirect paths could result in CGI output
   going to the wrong client when a threaded MPM is used.

   A buffer overflow could occur in mod_alias and mod_rewrite when
   a regular expression with more than 9 captures is configured.

   This release is compatible with modules compiled for 2.0.42 and later
   versions.  We consider this release to be the best version of Apache
   available and encourage users of all prior versions to upgrade.

   Apache 2.0.48 is available for download from


   Please see the CHANGES_2.0 file, linked from the above page, for
   a full list of changes.

   Apache 2.0 offers numerous enhancements, improvements, and performance
   boosts over the 1.3 codebase.  For an overview of new features introduced
   after 1.3 please see


   When upgrading or installing this version of Apache, please keep
   in mind the following:
   If you intend to use Apache with one of the threaded MPMs, you must
   ensure that the modules (and the libraries they depend on) that you
   will be using are thread-safe.  Please contact the vendors of these
   modules to obtain this information.

                       Apache 2.0.48 Major changes

   Security vulnerabilities closed since Apache 2.0.47

    *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
       the AF_UNIX socket used to communicate with the cgid daemon and
       the CGI script.  [Jeff Trawick]

    *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and
       mod_rewrite which occurred if one configured a regular expression
       with more than 9 captures.  [André Malo]

   Bugs fixed and features added since Apache 2.0.47

    *) mod_include: fix segfault which occured if the filename was not
       set, for example, when processing some error conditions.
       PR 23836.  [Brian Akins <[EMAIL PROTECTED]>, André Malo]

    *) fix the config parser to support <Foo>..</Foo> containers (no
       arguments in the opening tag) supported by httpd 1.3. Without
       this change mod_perl 2.0's <Perl> sections are broken.
       ["Philippe M. Chiasson" <[EMAIL PROTECTED]>]

    *) mod_cgid: fix a hash table corruption problem which could
       result in the wrong script being cleaned up at the end of a
       request.  [Jeff Trawick]

    *) Update httpd-*.conf to be clearer in describing the connection
       between AddType and AddEncoding for defining the meaning of
       compressed file extensions. [Roy Fielding]

    *) mod_rewrite: Don't die silently when failing to open RewriteLogs.
       PR 23416.  [André Malo]

    *) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
       rewritten request using "proxy:". The code was adding multiple "proxy:"
       fields in the rewritten URI. PR: 13946.
       [Eider Oliveira <[EMAIL PROTECTED]>]

    *) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
       expires as directed in RFC 2616. [Thomas Castelle [EMAIL PROTECTED]

    *) Ensure that ssl-std.conf is generated at configure time, and switch
       to using the expanded config variables to work the same as
       httpd-std.conf PR: 19611
       [Thom May]

    *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
       [Hartmut Keil <[EMAIL PROTECTED]>]

    *) mod_autoindex: If a directory contains a file listed in the
       DirectoryIndex directive, the folder icon is no longer replaced
       by the icon of that file. PR 9587.
       [David Shane Holden <[EMAIL PROTECTED]>]

    *) Fixed mod_usertrack to not get false positive matches on the
       user-tracking cookie's name.  PR 16661.
       [Manni Wood <[EMAIL PROTECTED]>]

    *) mod_cache: Fix the cache code so that responses can be cached
       if they have an Expires header but no Etag or Last-Modified
       headers. PR 23130.

    *) mod_log_config: Fix %b log format to write really "-" when 0 bytes
       were sent (e.g. with 304 or 204 response codes).  [Astrid Keßler]

    *) Modify ap_get_client_block() to note if it has seen EOS.
       [Justin Erenkrantz]

    *) Fix a bug, where mod_deflate sometimes unconditionally compressed the
       content if the Accept-Encoding header contained only other tokens than
       "gzip" (such as "deflate"). PR 21523.  [Joe Orton, André Malo]

    *) Avoid an infinite recursion, which occured if the name of an included
       config file or directory contained a wildcard character. PR 22194.
       [André Malo]

    *) mod_ssl: Fix a problem setting variables that represent the
       client certificate chain.  PR 21371  [Jeff Trawick]

    *) Unix: Handle permissions settings for flock-based mutexes in
       unixd_set_global|proc_mutex_perms().  Allow the functions to be
       called for any type of mutex.  PR 20312  [Jeff Trawick]

    *) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]

    *) Fix a misleading message from the some of the threaded MPMs when
       MaxClients has to be lowered due to the setting of ServerLimit.
       [Jeff Trawick]

    *) Lower the severity of the "listener thread didn't exit" message
       to debug, as it is of interest only to developers.  PR 9011
       [Jeff Trawick]

    *) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
       [Cliff Woolley, Jean-Jacques Clar]

    *) Install config.nice into the build/ directory to make
       minor version upgrades easier. [Joshua Slive]

    *) Fix mod_deflate so that it does not call deflate() without checking
       first whether it has something to deflate. (Currently this causes
       deflate to generate a fatal error according to the zlib spec.)
       PR 22259. [Stas Bekman]

    *) mod_ssl: Fix FakeBasicAuth for subrequest.  Log an error when an
       identity spoof is encountered.
       [Sander Striker]

    *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
       containing the .htaccess file is requested without a trailing slash.
       PR 20195.  [André Malo]

    *) ab: Overlong credentials given via command line no longer clobber
       the buffer.  [André Malo]

    *) mod_deflate: Don't attempt to hold all of the response until we're
       done.  [Justin Erenkrantz]

    *) Assure that we block properly when reading input bodies with SSL.
       PR 19242.  [David Deaves <[EMAIL PROTECTED]>, William Rowe]

    *) Update mime.types to include latest IANA and W3C types.  [Roy Fielding]

    *) mod_ext_filter: Set additional environment variables for use by
       the external filter.  PR 20944.  [Andrew Ho, Jeff Trawick]

    *) Fix buildconf errors when libtool version changes.  [Jeff Trawick]

    *) Remember an authenticated user during internal redirects if the
       redirection target is not access protected and pass it
       to scripts using the REDIRECT_REMOTE_USER environment variable.
       PR 10678, 11602.  [André Malo]

    *) mod_include: Fix a trio of bugs that would cause various unusual
       sequences of parsed bytes to omit portions of the output stream.
       PR 21095. [Ron Park <[EMAIL PROTECTED]>, André Malo, Cliff Woolley]

    *) Update the header token parsing code to allow LWS between the
       token word and the ':' seperator.  [PR 16520]
       [Kris Verbeeck <[EMAIL PROTECTED]>, Nicel KM <[EMAIL PROTECTED]>]

    *) Eliminate creation of a temporary table in ap_get_mime_headers_core()
       [Joe Schaefer <[EMAIL PROTECTED]>]

    *) Added FreeBSD directory layout. PR 21100.
       [Sander Holthaus <[EMAIL PROTECTED]>, André Malo]

    *) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
       response. PR 21085. [Glenn Nielsen <[EMAIL PROTECTED]>, André Malo]

    *) mod_rewrite: Perform child initialization on the rewrite log lock.
       This fixes a log corruption issue when flock-based serialization
       is used (e.g., FreeBSD).  [Jeff Trawick]

    *) Don't respect the Server header field as set by modules and CGIs.
       As with 1.3, for proxy requests any such field is from the origin
       server; otherwise it will have our server info as controlled by
       the ServerTokens directive.  [Jeff Trawick]

Reply via email to