Het Apache HTTP Server Project heeft onlangs een nieuwe versie uitgegeven van hun Apache applicatie. De release valt in de 1.3.x serie en bevat een aantal bug en security fixes. Men heeft besloten om één versienummer over te slaan en vandaar dat 1.3.31 als versienummer is meegegeven. De release notes zien er als volgt uit:
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 1.3.31 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 1.3.31 as compared to 1.3.29 (1.3.30 was not released).
This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of this document. A full listing of changes can be found in the CHANGES file. Of particular note is that 1.3.31 addresses and fixes 4 potential security issue:
New features that relate to specific platforms:
- CAN-2003-0987 (cve.mitre.org)
In mod_digest, verify whether the nonce returned in the client response is one we issued ourselves. This problem does not affect mod_auth_digest.
- CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog.
- CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket.
- CAN-2003-0993 (cve.mitre.org)
Fix parsing of Allow/Deny rules using IP addresses without a netmask; issue is only known to affect big-endian 64-bit platforms
The following bugs were found in Apache 1.3.29 (or earlier) and have been fixed in Apache 1.3.31:
- Linux 2.4+: If Apache is started as root and you codeCoreDumpDirectory, coredumps are enabled via the prctl() syscall.
- Add mod_whatkilledus and mod_backtrace (experimental) for reporting diagnostic information after a child process crash.
- Add fatal exception hook for running diagnostic code after a crash.
- Forensic logging module added (mod_log_forensic)
- '%X' is now accepted as an alias for '%c' in the LogFormat directive. This allows you to configure logging to still log the connection status even with mod_ssl
- Fix memory corruption problem with ap_custom_response() function. The core per-dir config would later point to request pool data that would be reused for different purposes on different requests.
- mod_usertrack no longer inspects the Cookie2 header for the cookie name. It also no longer overwrites other cookies.
- Fix bug causing core dump when using CookieTracking without specifying a CookieName directly.
- UseCanonicalName off was ignoring the client provided port information.