Apache 2.0.48 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the eleventh public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.48 as compared to 2.0.47.

This version of Apache is principally a bug fix release. Asummary of
the bug fixes is given at the end of this document. Of particular
note is that 2.0.48 addresses two security vulnerabilities:

mod_cgid mishandling of CGI redirect paths could result inCGI output
going to the wrong client when a threaded MPM is used.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789]

A buffer overflow could occur in mod_alias and mod_rewritewhen
a regular expression with more than 9 captures isconfigured.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542]

This release is compatible with modules compiled for2.0.42 and later
versions. We consider this release to be the bestversion of Apache
available and encourage users of all prior versions toupgrade.

Apache 2.0.48 is available for download from

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.0 file, linked from the abovepage, for
a full list of changes.

Apache 2.0 offers numerous enhancements, improvements, andperformance
boosts over the 1.3 codebase. For an overview of newfeatures introduced
after 1.3 please see

http://httpd.apache.org/docs-2.0/new_features_2_0.html

When upgrading or installing this version of Apache,please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs,you must
ensure that the modules (and the libraries they depend on)that you
will be using are thread-safe. Please contact thevendors of these
modules to obtain this information.

Apache 2.0.48 Major changes

Security vulnerabilities closed since Apache 2.0.47

*) SECURITY [CAN-2003-0789]: mod_cgid: Resolve somemishandling of
the AF_UNIX socket used tocommunicate with the cgid daemon and
the CGI script. [JeffTrawick]

*) SECURITY [CAN-2003-0542]: Fix buffer overflows inmod_alias and
mod_rewrite which occurred if oneconfigured a regular expression
with more than 9 captures. [André Malo]

Bugs fixed and features added since Apache 2.0.47

*) mod_include: fix segfault which occured if thefilename was not
set, for example, when processingsome error conditions.
PR 23836. [Brian Akins, André Malo]

*) fix the config parser to support.. containers (no
arguments in the opening tag)supported by httpd 1.3. Without
this change mod_perl 2.0's sections are broken.
["Philippe M. Chiasson"]

*) mod_cgid: fix a hash table corruption problemwhich could
result in the wrong script beingcleaned up at the end of a
request. [Jeff Trawick]

*) Update httpd-*.conf to be clearer in describingthe connection
between AddType and AddEncodingfor defining the meaning of
compressed file extensions. [RoyFielding]

*) mod_rewrite: Don't die silently when failing toopen RewriteLogs.
PR 23416. [André Malo]

*) mod_rewrite: Fix mod_rewrite's support of the [P]option to send
rewritten request using "proxy:".The code was adding multiple "proxy:"
fields in the rewritten URI. PR:13946.
[Eider Oliveira]

*) cache_util: Fix ap_check_cache_freshness to checkmax_age, smax_age, and
expires as directed in RFC 2616.[Thomas Castelle tcastelle@generali.fr]

*) Ensure that ssl-std.conf is generated atconfigure time, and switch
to using the expanded configvariables to work the same as
httpd-std.conf PR: 19611
[Thom May]

*) mod_ssl: Fix segfaults after renegotiationfailure. PR 21370
[Hartmut Keil]

*) mod_autoindex: If a directory contains a filelisted in the
DirectoryIndex directive, thefolder icon is no longer replaced
by the icon of that file. PR 9587.
[David Shane Holden]

*) Fixed mod_usertrack to not get false positivematches on the
user-tracking cookie's name. PR 16661.
[Manni Wood]

*) mod_cache: Fix the cache code so that responsescan be cached
if they have an Expires header butno Etag or Last-Modified
headers. PR 23130.
[bjorn@exoweb.net]

*) mod_log_config: Fix %b log format to write really"-" when 0 bytes
were sent (e.g. with 304 or 204response codes). [Astrid KeÃŞler]

*) Modify ap_get_client_block() to note if it hasseen EOS.
[Justin Erenkrantz]

*) Fix a bug, where mod_deflate sometimesunconditionally compressed the
content if the Accept-Encodingheader contained only other tokens than
"gzip" (such as "deflate"). PR21523. [Joe Orton, André Malo]

*) Avoid an infinite recursion, which occured if thename of an included
config file or directory containeda wildcard character. PR 22194.
[André Malo]

*) mod_ssl: Fix a problem setting variables thatrepresent the
client certificate chain. PR21371 [Jeff Trawick]

*) Unix: Handle permissions settings for flock-basedmutexes in
unixd_set_global|proc_mutex_perms(). Allow the functions to be
called for any type ofmutex. PR 20312 [Jeff Trawick]

*) ab: Work over non-loopback on Unix again. PR21495. [Jeff Trawick]

*) Fix a misleading message from the some of thethreaded MPMs when
MaxClients has to be lowered dueto the setting of ServerLimit.
[Jeff Trawick]

*) Lower the severity of the "listener thread didn'texit" message
to debug, as it is of interestonly to developers. PR 9011
[Jeff Trawick]

*) MPMs: The bucket brigades subsystem now honorsthe MaxMemFree setting.
[Cliff Woolley, Jean-Jacques Clar]

*) Install config.nice into the build/ directory tomake
minor version upgrades easier.[Joshua Slive]

*) Fix mod_deflate so that it does not calldeflate() without checking
first whether it has something todeflate. (Currently this causes
deflate to generate a fatal erroraccording to the zlib spec.)
PR 22259. [Stas Bekman]

*) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an
identity spoof is encountered.
[Sander Striker]

*) mod_rewrite: Ignore RewriteRules in .htaccessfiles if the directory
containing the .htaccess file isrequested without a trailing slash.
PR 20195. [André Malo]

*) ab: Overlong credentials given via command lineno longer clobber
the buffer. [AndréMalo]

*) mod_deflate: Don't attempt to hold all of theresponse until we're
done. [Justin Erenkrantz]

*) Assure that we block properly when reading inputbodies with SSL.
PR 19242. [David Deaves, William Rowe]

*) Update mime.types to include latest IANA and W3Ctypes. [Roy Fielding]

*) mod_ext_filter: Set additional environmentvariables for use by
the external filter. PR20944. [Andrew Ho, Jeff Trawick]

*) Fix buildconf errors when libtool versionchanges. [Jeff Trawick]

*) Remember an authenticated user during internalredirects if the
redirection target is not accessprotected and pass it
to scripts using theREDIRECT_REMOTE_USER environment variable.
PR 10678, 11602. [André Malo]

*) mod_include: Fix a trio of bugs that would causevarious unusual
sequences of parsed bytes to omitportions of the output stream.
PR 21095. [Ron Park, André Malo, Cliff Woolley]

*) Update the header token parsing code to allow LWSbetween the
token word and the ':'seperator. [PR 16520]
[Kris Verbeeck, Nicel KM ]

*) Eliminate creation of a temporary table inap_get_mime_headers_core()
[Joe Schaefer]

*) Added FreeBSD directory layout. PR 21100.
[Sander Holthaus, André Malo]

*) Fix NULL-pointer issue in ab when parsing anincomplete or non-HTTP
response. PR 21085. [Glenn Nielsen, André Malo]

*) mod_rewrite: Perform child initialization on therewrite log lock.
This fixes a log corruption issuewhen flock-based serialization
is used (e.g., FreeBSD). [Jeff Trawick]

*) Don't respect the Server header field as set bymodules and CGIs.
As with 1.3, for proxy requestsany such field is from the origin
server; otherwise it will have ourserver info as controlled by
the ServerTokens directive. [Jeff Trawick]