Date: Sat, 03 Jul 2004 08:39:31 -0300 From: "Mark Dodel" Subject: [VOICENWS] SW: Apache 1.3.31 From: "Mark Dodel" http://httpd.apache.org/ "Apache 1.3.31 is the best available version of the 1.3 series, and is recommended over all previous 1.3 releases. This release fixes a number of bugs and addresses 4 security issues described in CAN-2003-0987 (cve.mitre.org), CAN-2003-0020 (cve.mitre.org), CAN-2004-0174 (cve.mitre.org) and CAN-2003-0993 (cve.mitre.org). For additional details, read the Official Announcement. http://www.apache.org/dist/httpd/Announcement.html The Apache 1.3 series is being actively maintained and leisurely developed. Releases will be made to address security issues, or after a comfortable number of bug fixes or improvements have been made. Significantly new features will more than likely not be added to 1.3 in preference to 2.0. Use the Apache 1.3.31 version if you need to use third party modules that are not yet available as an Apache 2.0 module. Apache 1.3 is not compatibile with Apache 2.0 modules." Download: http://www.apache.org/dist/httpd/binaries/os2/apache_1.3.31-os2.zip "Apache 1.3.31 Major changes Security vulnerabilities The main security vulnerabilities addressed in 1.3.31 are: * o CAN-2003-0987 (cve.mitre.org) In mod_digest, verify whether the nonce returned in the client response is one we issued ourselves. This problem does not affect mod_auth_digest. * CAN-2003-0020 (cve.mitre.org) Escape arbitrary data before writing into the errorlog. * CAN-2004-0174 (cve.mitre.org) Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. * CAN-2003-0993 (cve.mitre.org) Fix parsing of Allow/Deny rules using IP addresses without a netmask; issue is only known to affect big-endian 64-bit platforms New features New features that relate to specific platforms: * Linux 2.4+: If Apache is started as root and you codeCoreDumpDirectory, coredumps are enabled via the prctl() syscall. New features that relate to specific platforms: * Add mod_whatkilledus and mod_backtrace (experimental) for reporting diagnostic information after a child process crash. * Add fatal exception hook for running diagnostic code after a crash. * Forensic logging module added (mod_log_forensic) * '%X' is now accepted as an alias for '%c' in the LogFormat directive. This allows you to configure logging to still log the connection status even with mod_ssl Bugs fixed The following bugs were found in Apache 1.3.29 (or earlier) and have been fixed in Apache 1.3.31: * Fix memory corruption problem with ap_custom_response() function. The core per-dir config would later point to request pool data that would be reused for different purposes on different requests. * mod_usertrack no longer inspects the Cookie2 header for the cookie name. It also no longer overwrites other cookies. * Fix bug causing core dump when using CookieTracking without specifying a CookieName directly. * UseCanonicalName off was ignoring the client provided port information." -- Warpstock 2004, Denver, Colorado, October 21 - 24, 2004 http://www.warpstock.org Warpstock Europe 2004, Arnhem, The Netherlands, November 26-28th, 2004 http://www.warpstock.net [Moderator's note: All posts are sent without guarantee to the accuracy of the content. We try to verify details and URLs but this is an entirely volunteer run list, so 100% fact checking and the quality/useability of products announced here is impossible. If you respond to this post please remove the DESPAM from the poster's email addresses. Please do not send requests for information about a specific post to the moderator unless it is an update or I sent it.] -- To unsubscribe yourself from this list, send the following message to majormajor at os2voice.org unsubscribe news end Or, visit http://www.os2voice.org/MailingLists.html If you have an announcement you would like posted to the VOICE News list, please send it to submit at os2voice.org. Please include a valid reply address and a real contact name. If you wish to comment on this post, please reply to feedback at os2voice.org