09.250.2007 - Apache Group: Apache HTTP Server 2.0.61

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. SECURITY: CVE-2007-3847 (cve.mitre.org) mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144. [Davi Arnaut, Nick Kew] SECURITY: CVE-2007-1863 (cve.mitre.org) mod_cache: Prevent segmentation fault if a Cache-Control header has no value. [Niklas Edmundsson ] SECURITY: CVE-2006-5752 (cve.mitre.org) mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser. [Joe Orton] SECURITY: CVE-2007-3304 (cve.mitre.org) prefork, worker MPMs: Ensure that the parent process cannot be forced to kill processes outside its process group. [Joe Orton, Jim Jagielski] mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as synonymous. PR 43183 [Brian Rectanus , Vincent Bray] log core: ensure we use a special pool for stderr logging, so that the stderr channel remains valid from the time plog is destroyed, until the time the open_logs hook is called again. [William Rowe] mod_ssl: Version reporting update; displays 'compiled against' Apache and build-time SSL Library versions at loglevel [info], while reporting the run-time SSL Library version in the server info tags. Helps to identify a mod_ssl built against one flavor of OpenSSL but running against another (also adds SSL-C version number reporting.) [William Rowe] mod_autoindex: Add in Type and Charset options to IndexOptions directive. This allows the admin to explicitly set the content-type and charset of the generated page and is therefore a viable workaround for buggy browsers affected by CVE-2007-4465 (cve.mitre.org). [Jim Jagielski] main core: Emit errors during the initial apr_app_initialize() or apr_pool_create() (when apr-based error reporting is not ready). [William Rowe, Jeff Trawick] log core: Fix issue which could cause piped loggers to be orphaned and never terminate after a graceful restart. PR 40651. [Joe Orton, Ruediger Pluem] log core: fix the new piped logger case where we couldn't connect the replacement stderr logger's stderr to the NULL stdout stream. Continue in this case, since the previous alternative of no error logging at all (/dev/null) is far worse. [William Rowe] mpm_winnt: Prevent the parent-child pipe from leaking into other spawned processes, and ensure we have a /Device/null handle for stdout when running as-a-service. [William Rowe] ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] mod_so: Solve dev's confusion by reporting expected/seen module magic signatures when failing with a 'garbled' message, and solve user's confusion by pointing out 'perhaps compiled for a different version of apache?'. [William Rowe] mod_ssl: initialize thread locks before initializing the hardware acceleration library, so the latter can make use of the former. PR 20951. [] mod_ssl: Support limited buffering of request bodies to allow per-location renegotiation to proceed. PR 12355. [Joe Orton] mod_cgi, mod_cgid: Don't return apr_status_t error value from input filter chain. PR 31759 (mutated). [Jo Rhett, Nick Kew] htdbm: Fix crash processing -d option in 64-bit mode on HP-UX. [Jeff Trawick] proxy_http.c: Overlay existing cookies with proxied ones, ala httpd-2.2. [Jim Jagielski] mod_proxy: ProxyTimeout (and others) ignored due to not merging the *_set params. PR 11540. [Jim Jagielski] mod_isapi: Correctly present SERVER_PORT_SECURE. PR 40573. [Matt Eaton ] mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH support. Also corrects the slashes for Windows. PR 15993. [William Rowe] mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the token parser worked while the resulting length was misinterpreted. PR 29098. [Brock Bland ] mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade attempts to stream the response at the client. Log these as well. PR 30022, 40470. [William Rowe, Matt Eaton ] mod_isapi: Ensure we walk through all the methods the developer may have employed to report their HTTP status result code. PR 16637 30033 28089. [Matt Lewandowsky , William Rowe] - Download Apache HTTP Server - View Release Notes - View Additional Information - Visit Apache Group