Software-update: Apache 2.2.9

Het ontwikkelteam van het Apache HTTP Server Project heeft een nieuwe versie van hun Apache http-server uitgegeven. Deze webserver wordt op veel platformen gebruikt en is met behulp van modules met allerlei functionaliteiten uit te rusten. Het versienummer is aangekomen bij 2.2.9 en voorzien van de volgende aankondiging en lijst met aanpassingen:

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.9 of the Apache HTTP Server ("Apache").

This version of Apache is principally a bug and security fix release. The following potential security flaws are addressed:

• CVE-2008-2364: mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. Reported by Ryujiro Shibuya.
• CVE-2007-6420: mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager interface.

We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.

Changes with Apache 2.2.9:

• core: Fix address-in-use startup failure on some platforms caused by creating an IPv4 listener which overlaps with an existing IPv6 listener.
• mod_proxy: Make all proxy modules nocanon aware and do not add the query string again in this case. PR 44803.
• mod_unique_id: Fix timestamp value in UNIQUE_ID. PR 37064
• htpasswd: Fix salt generation weakness. PR 31440
• core: Add the filename of the configuration file to the warning message about the useless use of AllowOverride. PR 39992.
• scoreboard: Remove unused proxy load balancer elements from scoreboard image (not scoreboard memory itself).
• mod_proxy: Support environment variable interpolation in reverse proxying directives.
• suexec: When group is given as a numeric gid, validate it by looking up the actual group name such that the name can be used in log entries. PR 7862
• Fix garbled TRACE response on EBCDIC platforms.
• ab: Include earlier if available since we may need INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS. PR 45024
• ab: Improve client performance by clearing connection pool instead of destroying it. PR 40054
• ab: Don't stop sending a request if EAGAIN is returned, which will only happen if both the write and subsequent wait are returning EAGAIN, and count posted bytes correctly when the initial write of a request is not complete. PR 10038, 38861, 39679
• ab: Overhaul stats collection and reporting to avoid integer truncation and time divisions within the test loop, retain native time resolution until output, remove unused data, consistently round milliseconds, and generally avoid losing accuracy of calculation due to type casts. PR 44878, 44931.
• ab: Add -r option to continue after socket receive errors.
• core: Do not allow Options ALL if not all options are allowed to be overwritten. PR 44262
• mod_cache: Handle If-Range correctly if the cached resource was stale. PR 44579
• mod_proxy: Do not try a direct connection if the connection via a remote proxy failed before and the request has a request body.
• mod_proxy_ajp: Do not retry request in the case that we either failed to sent a part of the request body or if the request is not idempotent. PR 44334
• mod_rewrite: Initialize hash needed by ap_register_rewrite_mapfunc early enough. PR 44641
• mod_dav: Return "method not allowed" if the destination URI of a WebDAV copy / move operation is no DAV resource. PR 44734
• http_filters: Don't return 100-continue on redirects. PR 43711
• mod_ssl: Fix a memory leak with connections that have zlib compression turned on. PR 44975
• mod_proxy: Trigger a retry by the client in the case we fail to read the response line from the backend by closing the connection to the client. PR 37770
• gen_test_char: add double-quote to the list of T_HTTP_TOKEN_STOP. PR 9727
• core: reinstate location walk to fix config for subrequests PR 41960
• rotatelogs: Log the current file size and error code/description when failing to write to the log file.
• rotatelogs: Added '-f' option to force rotatelogs to create the logfile as soon as started, and not wait until it reads the first entry.
• rotatelogs: Don't leak memory when reopening the logfile. PR 40183
• rotatelogs: Improve atomicity when using -l and cleaup code. PR 44004
• mod_authn_dbd: Disambiguate and tidy database authentication error messages. PR 43210.
• mod_headers: Add 'merge' option to avoid duplicate values within the same header.
• mod_cgid: Explicitly set permissions of the socket (ScriptSock) shared by mod_cgid and request processing threads, for OS'es such as HPUX and AIX that do not use umask for AF_UNIX socket permissions.
• mod_cgid: Don't try to restart the daemon if it fails to initialize the socket.
• mod_log_config: Add format options for %p so that the actual local or remote port can be logged. PR 43415.
• Added 'disablereuse' option for ProxyPass which, essentially, disables connection pooling for the backend servers.
• mod_speling: remove regression from 1.3/2.0 behavior and drop dependency between mod_speling and AcceptPathInfo. PR 43562
• mod_substitute: The default is now flattening the buckets after each substitution. The newly added 'q' flag allows for the quicker, more efficient bucket-splitting if the user so desires.
• http_filters: Don't spin if get an error when reading the next chunk. PR 44381
• ab: Do not try to read non existing response bodies of HEAD requests. PR 34275
• ab: Use a 64 bit unsigned int instead of a signed long to count the bytes transferred to avoid integer overflows. PR 44346
• ProxyPassReverse is now balancer aware.
• mod_include: Correctly handle SSI directives split over multiple filter passes. PR 44447
• mod_cache: Revalidate cache entities which have Cache-Control: no-cache set in their response headers. PR 44511
• mod_rewrite: Check all files used by DBM maps for freshness, mod_rewrite didn't pick up on updated sdbm maps due to this. PR41190
• mod_proxy: Lower memory consumption for short lived connections. PR 44026
• mod_proxy: Keep connections to the backend persistent in the HTTPS case.
• Don't add bogus duplicate Content-Language entries PR 11035
• Worker / Event MPM: Fix race condition in pool recycling that leads to segmentation faults under load. PR 44402
• mod_proxy_ftp: Fix base for directory listings. PR 27834
• mod_logio: Provide optional function to allow modules to adjust the bytes_in count
• http_filters: Don't return 100-continue on client error PR 43711
• mod_charset_lite: Add TranslateAllMimeTypes sub-option to CharsetOptions, allowing the administrator to skip the mimetype checking that precedes translation. PR 44458
• mod_proxy_http: Fix processing of chunked responses if Connection: Transfer-Encoding is set in the response of the proxied system. PR 44311
• mod_proxy_http: Return HTTP status codes instead of apr_status_t values for errors encountered while forwarding the request body PR 44165
• mod_rewrite: Don't canonicalise URLs with [P,NE] PR 43319