[vox] [Fwd: [ANNOUNCE][SECURITY] Apache 2.0.47 released]

ME vox@lists.lugod.org
Wed, 9 Jul 2003 19:01:49 -0700 (PDT)


Howdy all,

If you are using the 2.0.x series of the apache web server (not the 1.3.x
version) there is (yet another) release of apache 2.0.x.

More info below:

---------------------------- Original Message ----------------------------
Subject: [ANNOUNCE][SECURITY] Apache 2.0.47 released
From:    "Apache HTTP Server Project" <striker@apache.org>
Date:    Wed, July 9, 2003 5:01
To:      announce@apache.org
--------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                       Apache 2.0.47 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the tenth public release of the Apache 2.0
   HTTP Server.  This Announcement notes the significant changes in 2.0.47
as compared to 2.0.46.


   This version of Apache is principally a security and bug fix release. A
summary of the bug fixes is given at the end of this document. Of
particular note is that 2.0.47 addresses four security
   vulnerabilities:

   Certain sequences of per-directory renegotiations and the
SSLCipherSuite directive being used to upgrade from a weak ciphersuite
to a strong one could result in the weak ciphersuite being used in
place of the strong one.
   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192]

   Certain errors returned by accept() on rarely accessed ports could
cause temporal denial of service, due to a bug in the prefork MPM.
   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0253]

   Denial of service was caused when target host is IPv6 but ftp proxy
server can't create IPv6 socket.
   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0254]

   The server would crash when going into an infinite loop due to too many
subsequent internal redirects and nested subrequests.
   [VU#379828]

   The Apache Software Foundation would like to thank Saheed Akhtar and
Yoshioka Tsuneo for the responsible reporting of two of these issues.


   This release is compatible with modules compiled for 2.0.42 and later
versions.  We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.

   Apache 2.0.47 is available for download from

     http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.0 file, linked from the above page, for a full
list of changes.

   Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase.  For an overview of new features
introduced after 1.3 please see

     http://httpd.apache.org/docs-2.0/new_features_2_0.html

   When upgrading or installing this version of Apache, please keep in
mind the following:

   If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe.  Please contact the vendors of these
modules to obtain this information.


                       Apache 2.0.47 Major changes

   Security vulnerabilities closed since Apache 2.0.46

    *) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
       of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one could
result in the weak ciphersuite being used in place of the strong
one.  [Ben Laurie]

    *) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
       temporary denial of service when accept() on a rarely accessed port
returns certain errors.  Reported by Saheed Akhtar
       <S.Akhtar@talis.com>.  [Jeff Trawick]

    *) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
       of service when target host is IPv6 but proxy server can't create
IPv6 socket.  Fixed by the reporter.  [Yoshioka Tsuneo
       <tsuneo.yoshioka@f-secure.com>]

    *) SECURITY [VU#379828] Prevent the server from crashing when entering
       infinite loops. The new LimitInternalRecursion directive configures
limits of subsequent internal redirects and nested subrequests,
after which the request will be aborted.  PR 19753 (and probably
others). [William Rowe, Jeff Trawick, André Malo]


   Bugs fixed and features added since Apache 2.0.46

    *) core_output_filter: don't split the brigade after a FLUSH bucket if
       it's the last bucket.  This prevents creating unneccessary empty
brigades which may not be destroyed until the end of a keepalive
connection.
       [Juan Rivera <Juan.Rivera@citrix.com>]

    *) Add support for "streamy" PROPFIND responses.
       [Ben Collins-Sussman <sussman@collab.net>]

    *) mod_cgid: Eliminate a double-close of a socket.  This resolves
       various operational problems in a threaded MPM, since on the second
attempt to close the socket, the same descriptor was often already
in use by another thread for another purpose. [Jeff Trawick]

    *) mod_negotiation: Introduce "prefer-language" environment variable,
       which allows to influence the negotiation process on request basis
to prefer a certain language.  [André Malo]

    *) Make mod_expires' ExpiresByType work properly, including for
       dynamically-generated documents.  [Ken Coar, Bill Stoddard]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/C2DDZjW2wN6IXdMRAm9BAKCBj7KgdN8sLTZpUFu5aVJTjyEJlQCePz3Y
QF51aRaqbVdSwZYxalnSC+Y=
=2mza
-----END PGP SIGNATURE-----


--------------------------------------------------------------------- To
unsubscribe, e-mail: announce-unsubscribe@apache.org
For additional commands, e-mail: announce-help@apache.org