Commit 6a430851 authored by Jim Jagielski's avatar Jim Jagielski
Browse files

Preload Announcement 


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@312692 13f79535-47bb-0310-9956-ffa450edef68
parent b9ff5690

Announcement

+31 −47
Original line number Diff line number Diff line 


                   Apache HTTP Server 1.3.33 Released

                   Apache HTTP Server 1.3.34 Released



   The Apache Software Foundation and The Apache HTTP Server Project are

   pleased to announce the release of version 1.3.33 of the Apache HTTP

   pleased to announce the release of version 1.3.34 of the Apache HTTP

   Server ("Apache").  This Announcement notes the significant changes

   in 1.3.33 as compared to 1.3.31 (1.3.32 was not formally released).

   in 1.3.34 as compared to 1.3.33.



   The Announcement is also available in German and Japanese from:



        http://www.apache.org/dist/httpd/Announcement.txt.de
@@ -13,23 +14,22 @@ 
   This version of Apache is principally a bug and security fix release.

   A partial summary of the bug fixes is given at the end of this document.

   A full listing of changes can be found in the CHANGES file.  Of

   particular note is that 1.3.33 addresses and fixes 2 potential

   particular note is that 1.3.34 addresses and fixes 2 potential

   security issues:



     o CAN-2004-0940 (cve.mitre.org)

       Fix potential buffer overflow with escaped characters in

       SSI tag string.

     o If a request contains both Transfer-Encoding and 

       Content-Length headers, remove the Content-Length, mitigating some 

       HTTP Request Splitting/Spoofing attacks.



     o CAN-2004-0492 (cve.mitre.org)

       Reject responses from a remote server if sent an invalid

       (negative) Content-Length.

     o Added TraceEnable [on|off|extended] per-server directive to alter

       the behavior of the TRACE method.



   We consider Apache 1.3.33 to be the best version of Apache 1.3 available

   We consider Apache 1.3.34 to be the best version of Apache 1.3 available

   and we strongly recommend that users of older versions, especially of

   the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further

   releases will be made in the 1.2.x family.



   Apache 1.3.33 is available for download from:

   Apache 1.3.34 is available for download from:

   

       http://httpd.apache.org/download.cgi
@@ -74,56 +74,40 @@ 


   Apache 2.0 has been structured for multiple operating systems from its 

   inception, by introducing the Apache Portability Library and MPM modules.

   Users on non-Unix platforms are strongly encouraged to move up to 

   Apache 2.0 for better performance, stability and security on their

   Users on Unix and non-Unix platforms are strongly encouraged to move up

   to Apache 2.0 for better performance, stability and security on their

   platforms.



                     Apache 1.3.33 Major changes

                     Apache 1.3.34 Major changes



  Security vulnerabilities



     * CAN-2004-0940 (cve.mitre.org)

       Fix potential buffer overflow with escaped characters in

       SSI tag string.

     * SECURITY: core: If a request contains both Transfer-Encoding and 

       Content-Length headers, remove the Content-Length, mitigating some 

       HTTP Request Splitting/Spoofing attacks.  This has no impact on

       mod_proxy_http, yet affects any module which supports chunked

       encoding yet fails to prefer T-E: chunked over the Content-Length

       purported value.



     * CAN-2004-0492 (cve.mitre.org)

       Reject responses from a remote server if sent an invalid

       (negative) Content-Length.

     * Added TraceEnable [on|off|extended] per-server directive to alter

       the behavior of the TRACE method.  This addresses a flaw in proxy

       conformance to RFC 2616 - previously the proxy server would accept

       a TRACE request body although the RFC prohibited it.  The default

       remains 'TraceEnable on'.



  New features



   New features that relate to specific platforms:



     * Win32: Improve error reporting after a failed attempt to spawn a 

       piped log process or rewrite map process.

     * None



   New features that relate to all platforms:



     * Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT.

       It controls how UseCanonicalName Off determines the port value if

       the client doesn't provide one in the Host header. If defined during

       compilation, UseCanonicalName Off will use the physical port number

       to generate the canonical name. If not defined, it tries the current

       Port value followed by the default port for the current scheme.

     * None



  Bugs fixed



   The following noteworthy bugs were found in Apache 1.3.31 (or earlier)

   and have been fixed in Apache 1.3.33:



     * mod_rewrite: Fix query string handling for proxied URLs. PR 14518.

                                                                                

     * mod_rewrite: Fix 0 bytes write into random memory position.

       PR 31036.



     * mod_digest: Fix nonce string calculation since 1.3.31 which

       would force re-authentication for every connection if

       AuthDigestRealmSeed was not configured.  PR 30920.



     * Fix trivial bug in mod_log_forensic that caused the child

       to seg fault when certain invalid requests were fired at it with

       forensic logging is enabled.  PR 29313.

   The following noteworthy bugs were found in Apache 1.3.33 (or earlier)

   and have been fixed in Apache 1.3.34:



     * No longer breaks mod_dav, frontpage and others.  Repair a patch

       in 1.3.31 which prevented discarding the request body for requests

       that will be keptalive but are not currently keptalive. PR 29237.
 
     * mod_digest: Fix another nonce string calculation issue.