Apache for OSX 2.0.55 review
DownloadApache is the most popular internet webserver application in the world.
|
|
Apache is the most popular internet webserver application in the world.
It's created by a collaborative effect of software developers.
The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation.
These volunteers are known as the Apache Group. In addition,hundreds of users have contributed ideas, code, and documentation to theproject.
This version of Apache is a precompiled binary for MacOS X and Darwin users.
What's New:
SECURITY: CAN-2005-2700 (cve.mitre.org) mod_ssl: Fix a security issue where "SSLVerifyClient" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the vhost configuration. [Joe Orton]
worker MPM: Fix a memory leak which can occur after an aborted connection in some limited circumstances. [Greg Ames]
mod_ldap: Fix PR 36563. Keep track of the number of attributes retrieved from LDAP so that all of the values can be properly cached even if the value is NULL. [Brad Nicholes, Ondrej Sury ]
SECURITY: CAN-2005-2491 (cve.mitre.org): Fix integer overflows in PCRE in quantifier parsing which could be triggered by a local user through use of a carefully-crafted regex in an .htaccess file. [Philip Hazel]
SECURITY: CAN-2005-2088 (cve.mitre.org) proxy: Correctly handle the Transfer-Encoding and Content-Length headers. Discard the request Content-Length whenever T-E: chunked is used, always passing one of either C-L or T-E: chunked he never the request includes a request body. Resolves an entire class of proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]
Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method. This addresses a flaw in proxy conformance to RFC 2616 - previously the proxy server would accept a TRACE request body although the RFC prohibited it. The default remains 'TraceEnable on'. [William Rowe]
Add ap_log_cerror() for logging messages associated with particular client connections. [Jeff Trawick]
Correct mod_cgid's argv[0] so that the full path can be delved by the invoked cgi application, to conform to the behavior of mod_cgi. [Pradeep Kumar S ]
mod_include: Fix possible environment variable corruption when using nested includes. PR 12655. [Joe Orton]
Support the suppress-error-charset setting, as with Apache 1.3.x. PR 31274. [Jeff Trawick]
EBCDIC: Handle chunked input from client or, with proxy, origin server. [Jeff Trawick]
Fix bad globbing comparison which could result in getting a directory listing when a file was requested. PR 34512. [sean ]
Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker() was called even if mod_auth_ldap_check_user_id() was not (or if it didn't succeed) for non-authoritative cases. [Jim Jagielski]
SECURITY: CAN-2005-2728 (cve.mitre.org) Fix cases where the byterange filter would buffer responses into memory. PR 29962. [Joe Orton]
mod_proxy: Fix over-eager handling of '%' for reverse proxies. PR 15207. [Jim Jagielski]
mod_ldap: Fix various shared memory cache handling bugs. PR 34209. [Joe Orton]
Fix a file descriptor leak when starting piped loggers. PR 33748. [Joe Orton]
mod_ldap: Avoid segfaults when opening connections if using a version of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes]
mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe]
SECURITY: CAN-2005-2088 (cve.mitre.org) core: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
proxy HTTP: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection, mitigating some HTTP Response Splitting attacks. [Jeff Trawick]
Prevent hangs of child processes when writing to piped loggers at the time of graceful restart. PR 26467. [Jeff Trawick]
SECURITY: CAN-2005-1268 (cve.mitre.org) mod_ssl: Fix off-by-one overflow whilst printing CRL information at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL. PR 35081. [Marc Stern ]
mod_userdir: Fix possible memory corruption issue. PR 34588. [David Leonard ]
worker mpm: don't take down the whole server for a transient thread creation failure. PR 34514 [Greg Ames]
mod_rewrite: use buffered I/O to improve performance with large RewriteMap txt: files. [Greg Ames]
proxy HTTP: Rework the handling of request bodies to handle chunked input and input filters which modify content length, and avoid spooling arbitrary-sized request bodies in memory. PR 15859. [Jeff Trawick].
Apache for OSX 2.0.55 keywords