Het ontwikkelteam van het Apache HTTP Server Project heeft een nieuwe versie uitgegeven van hun Apache HTTP-server. Deze webserver wordt op veel platformen gebruikt en is met behulp van modules met allerlei functionaliteiten uit te rusten. Het versienummer is aangekomen bij 2.2.6 en voorzien van de volgende aankondiging en lijst met aanpassingen:
The Apache HTTP Server Project is proud to announce the release of version 2.2.6 of the Apache HTTP Server ("Apache"). This version is principally a security and bugfix release.
This version of Apache is a major release and the start of a new stable branch, and represents the best available version of Apache HTTP Server. New features include Smart Filtering, Improved Caching, AJP Proxy, Proxy Load Balancing, Graceful Shutdown support, Large File Support, the Event MPM, and refactored Authentication/Authorization.
Changes with Apache 2.2.6:
There was no Apache 2.2.5
- SECURITY: CVE-2007-3847
mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144.
- SECURITY: CVE-2007-1863
mod_cache: Prevent a segmentation fault if attributes are listed in a Cache-Control header without any value.
- SECURITY: CVE-2007-3304
prefork, worker, event MPMs: Ensure that the parent process cannot be forced to kill processes outside its process group.
- SECURITY: CVE-2006-5752
mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser.
- SECURITY: CVE-2007-1862
mod_mem_cache: Copy headers into longer lived storage; header names and values could previously point to cleaned up storage. PR 41551.
- mod_info: mod_info outputs invalid XHTML 1.0 transitional. PR 42847
- mod_ssl: Fix spurious hostname mismatch warning for valid wildcard certificates. PR 37911.
- mod_mem_cache: Increase the minimum and default value for MCacheMinObjectSize from 0 to 1, as a MCacheMinObjectSize of 0 does not make sense and leads to a division by zero. PR 40576.
- mod_cache: Remove expired content from cache that cannot be revalidated. PR 30370.
- mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as synonymous. PR 43183
- mod_proxy: Ensure that at least scheme://hostname[:port] matches between worker and URL when searching for the best fitting worker for a given URL. PR 40910
- mod_proxy: Improve network performance by setting APR_TCP_NODELAY (disable Nagle algorithm) on sockets if implemented. PR 42871
- core: Do not replace a Date header set by a proxied backend server. PR 40232
- mod_proxy: Add a missing assignment in an error checking code path. PR 40865
- mod_proxy_connect: avoid segfault on DNS lookup failure. PR 40756
- mod_proxy: enable Ignore Errors option on ProxyPass Status. PR 43167
- mod_proxy_http: Don't try to read body of a HEAD request before responding. PR 41644
- mod_authnz_ldap: Don't return HTTP_UNAUTHORIZED during authorization when LDAP authentication is configured but we haven't seen any 'Require ldap-*' directives, allowing authorization to be passed to lower level modules (e.g. Require valid-user) PR 43281
- mod_proxy: don't URLencode tilde in path component PR 38448
- proxy/ajp_header.c: Fixed header token string comparisons Matching of header tokens failed to include the trailing NIL byte and could misinterpret a longer header token for a shorter. Additionally, a "Content-Type" comparison was made case insensitive.
- proxy/ajp_header.c: Backport of an AJP protocol fix for EBCDIC On EBCDIC machines, the status_line string was incorrectly converted twice.
- mod_dumpio: Fix for correct dumping of traffic on EBCDIC hosts Data had been incorrectly converted twice, resulting in garbled log output.
- mod_autoindex: Add in Type and Charset options to IndexOptions directive. This allows the admin to explicitly set the content-type and charset of the generated page and is therefore a viable workaround for buggy browsers affected by CVE-2007-4465
- log core: ensure we use a special pool for stderr logging, so that the stderr channel remains valid from the time plog is destroyed, until the time the open_logs hook is called again.
- mod_negotiation: preserve Query String in resolving a type map PR 33112
- mod_ssl: Version reporting update; displays 'compiled against' Apache and build-time SSL Library versions at loglevel [info], while reporting the run-time SSL Library version in the server info tags. Helps to identify a mod_ssl built against one flavor of OpenSSL but running against another (also adds SSL-C version number reporting.)
- mime.types: Many updates to sync with IANA registry and common unregistered types that the owners refuse to register. Admins are encouraged to update their installed mime.types file. PR: 35550, 37798, 39317, 31483
- mod_expires: don't crash on bad configuration data PR 43213
- mod_dbd: Introduce configuration groups to allow inheritance by virtual hosts of database configurations from the main server. Determine the minimal set of distinct configurations and share connection pools whenever possible. Allow virtual hosts to override inherited SQL statements. PR 41302.
- mod_dbd: Create memory sub-pools for each DB connection and close DB connections in a pool cleanup function. Ensure prepared statements are destroyed before DB connection is closed. When using reslists, prevent segfaults when child processes exit, and stop memory leakage of ap_dbd_t structures. Avoid use of global s->process->pool, which isn't destroyed by exiting child processes in most multi-process MPMs. PR 39985.
- mod_dbd: Handle error conditions in dbd_construct() properly. Simplify ap_dbd_open() and use correct arguments to apr_dbd_error() when non-threaded. Register correct cleanup data in non-threaded ap_dbd_acquire() and ap_dbd_cacquire(). Clean up configuration data and merge function. Use ap_log_error() wherever possible.
- mod_dbd: Stash DBD connections in request_config of initial request only, or else sub-requests and internal redirections may cause entire DBD pool to be stashed in a single HTTP request.
- main core: Emit errors during the initial apr_app_initialize() or apr_pool_create() (when apr-based error reporting is not ready).
- log core: fix the new piped logger case where we couldn't connect the replacement stderr logger's stderr to the NULL stdout stream. Continue in this case, since the previous alternative of no error logging at all (/dev/null) is far worse.
- mpm_winnt: Prevent the parent-child pipe from leaking into other spawned processes, and ensure we have a /Device/null handle for stdout when running as-a-service.
- mod_ldap: Avoid possible crashes, hangs, and busy loops due to improper merging of the cache lock in vhost config PR 43164
- ApacheMonitor: Fix Windows Vista detection.
- mod_deflate: fix protocol handling in deflate input filter PR 23287
- mod_filter: fix integer comparisons in dispatch rules PR 41835
- mod_filter: fix merging of ! and = in FilterChain PR 42186
- mod_deflate: don't try to process metadata buckets as data. what should have been a 413 error was logged as a 500 and a blank screen appeared at the browser.
- mod_cgi, mod_cgid: Fix use of CGI scripts as ErrorDocuments. PR 39710.
- mod_proxy: Allow to use different values for sessionid in url encoded id and cookies. PR 41897.
- mod_proxy: Fix the 503 returned when session route does not match any of the balancer members.
- mod_proxy: Added ProxyPassMatch directive, which is similar to ProxyPass but takes a regex local path prefix.
- mod_cache: Do not set Date or Expires when they are missing from the original response or are invalid.
- mod_cache: Correctly handle HEAD requests on expired cache content. PR 41230.
- mod_cache: Let Cache-Control max-age set the expiration of the cached representation if Expires is not set.
- mod_cache: Allow caching of requests with query arguments when Cache-Control max-age is explicitly specified.
- mod_disk_cache: Allow Vary'd responses to be refreshed properly.
- mod_proxy: Print the correct error message for erroneous configured ProxyPass directives. PR 40439.
- mod_so: Provide more helpful LoadModule feedback when an error occurs.
- mod_alias: Accept path components (URL part) in Redirects. PR 35314.
- mod_headers: Allow % at the end of a Header value. PR 36609.
- mod_cache: Use the same cache key throughout the whole request processing to handle escaped URLs correctly. PR 41475.
- mod_cache: Add CacheIgnoreQueryString directive. PR 41484.
- mod_cache: While serving a cached entity ensure that filters that have been applied to this cached entity before saving it to the cache are not applied again. PR 40090.
- mod_cache: Correctly cache objects whose URL query string has been modified by mod_rewrite. PR 40805.
- HTTP proxy ProxyErrorOverride: Leave 1xx and 3xx responses alone. Only processing of error responses (4xx, 5xx) will be altered. PR 39245.
- htdbm: Enable crypt support on platforms with crypt() but not <crypt.h>, such as z/OS.
- mod_ssl: initialize thread locks before initializing the hardware acceleration library, so the latter can make use of the former. PR 20951.
- ab.c: Correct behavior of HTTP request headers sent by ab in presence of -H command-line overrides. PR 31268, 26554.
- ab.c: The apr_port_t type is unsigned, but ab was using a signed format code in its reports. PR 42070.
- mod_ldap: Remove the hardcoded size limit parameter for ldap_search_ext_s and replace it with an APR_ defined value that is set according to the LDAP SDK being used.
- core: Correct a regression since 2.0.x in the handling of AllowOverride Options. PR 41829.
- mod_proxy_http: Handle request bodies larger than 2 GB by converting the Content-Length header of the request correctly. PR 40883.
- mod_proxy: Fix some proxy setting inheritance problems (eg: ProxyTimeout). PR 11540.
- Unix MPMs: Catch SIGFPE so that exception hooks and CoreDumpDirectory can work after that terminating signal.
- Win32: Makefile.win will now build with MS VC 8 (Visual Studio 2005) including embedding the .manifest information into each binary.