Apache HTTP Server 1.3.29 Released

The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 1.3.29 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 1.3.29 as compared to 1.3.28.

This version of Apache is principally a bug and security fix release.
A partial summary of the bug fixes is given at theend of this
document.
A full listing of changes can be found in theCHANGES file. Of
particular note is that 1.3.29 addresses and fixes 1potential
security issue:

o CAN-2003-0542 (cve.mitre.org)
Fix buffer overflows inmod_alias and mod_rewrite which occurred
if
one configured a regularexpression with more than 9 captures.

We consider Apache 1.3.29 to be the best version ofApache 1.3
available
and we strongly recommend that users of olderversions, especially of
the 1.1.x and 1.2.x family, upgrade as soon aspossible. No further
releases will be made in the 1.2.x family.

Apache 1.3.29 is available for download from:

http://httpd.apache.org/download.cgi

This service utilizes the network of mirrors listedat:

http://www.apache.org/mirrors/

Please consult the CHANGES_1.3 file for a full listof changes.

As of Apache 1.3.12 binary distributions contain allstandard Apache
modules as shared objects (if supported by theplatform) and include
full source code. Installation is easily doneby executing the
included install script. See theREADME.bindist and INSTALL.bindist
files for a complete explanation. Please notethat the binary
distributions are only provided for your convenienceand current
distributions for specific platforms are not alwaysavailable. Win32
binary distributions are based on the MicrosoftInstaller (.MSI)
technology. While development continues tomake this installation
method
more robust, questions should be directed to the
news:comp.infosystems.www.servers.ms-windowsnewsgroup.

For an overview of new features introduced after 1.2please see

http://httpd.apache.org/docs/new_features_1_3.html

In general, Apache 1.3 offers several substantialimprovements over
version 1.2, including better performance,reliability and a wider
range of supported platforms, including Windows NTand 2000 (which
fall under the "Win32" label), OS2, Netware, and TPFthreaded
platforms.

Apache is the most popular web server in the knownuniverse; over
half
of the servers on the Internet are running Apache orone of its
variants.

IMPORTANT NOTE FOR APACHE USERS: Apache1.3 was designed for Unix
OS
variants. While the ports to non-Unixplatforms (such as Win32,
Netware
or OS2) are of an acceptable quality, Apache 1.3 isnot optimized for
these platforms. Security, stability, orperformance issues on these
non-Unix ports do not generally apply to the Unixversion, due to
software's Unix origin.

Apache 2.0 has been structured for multipleoperating systems from
its
inception, by introducing the Apache PortabilityLibrary and MPM
modules.
Users on non-Unix platforms are strongly encouragedto move up to
Apache 2.0 for better performance, stability andsecurity on their
platforms.

Apache 1.3.29 Major changes

Security vulnerabilities

* CAN-2003-0542 (cve.mitre.org)
Fix buffer overflows inmod_alias and mod_rewrite which occurred
if
one configured a regularexpression with more than 9 captures.

New features

New features that relate to specific platforms:

* Enabled RFC1413 ident functionalityfor both Win32 and
NetWare platforms. This also included an alternate thread safe
implementation of the sockettimout functionality when querying
the identd daemon.

Bugs fixed

The following noteworthy bugs were found in Apache1.3.28 (or
earlier)
and have been fixed in Apache 1.3.29:

* Within ap_bclose(), ap_pclosesocket()is now called consistently
for sockets and ap_pclosef()for files. Also, closesocket()
is used consistenly to closesocket fd's. The previous
confusion between socket andfile fd's would cause problems
with some applications nowthat we proactively close fd's to
prevent leakage. PR22805.

* Fixed mod_usertrack to not get falsepositive matches on the
user-tracking cookie'sname. PR 16661.

* Prevent creation of subprocess Zombieswhen using CGI wrappers
such as suEXEC andcgiwrap. PR 21737.