Apache HTTP Server 2.0.49 Released

The Apache Software Foundation and the The Apache HTTP Server Project are pleased to announce the release of version 2.0.49 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.49 as compared to 2.0.48.

This version of Apache is principally a bug fix release. Asummary of
the bug fixes is given at the end of this document. Of particular
note is that 2.0.49 addresses three securityvulnerabilities:

When using multiple listening sockets, a denial of serviceattack
is possible on some platforms due to a race condition inthe
handling of short-lived connections. This issue isknown to affect
some versions of AIX, Solaris, and Tru64; it is known tonot affect
FreeBSD or Linux.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174]

Arbitrary client-supplied strings can be written to theerror log
which can allow exploits of certain terminal emulators.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020]

A remotely triggered memory leak in mod_ssl can allow adenial
of service attack due to excessive memory consumption.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113]

This release is compatible with modules compiled for2.0.42 and later
versions. We consider this release to be the bestversion of Apache
available and encourage users of all prior versions toupgrade.

Apache HTTP Server 2.0.49 is available for download from

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.0 file, linked from the abovepage, for
a full list of changes.

Apache 2.0 offers numerous enhancements, improvements, andperformance
boosts over the 1.3 codebase. For an overview of newfeatures introduced
after 1.3 please see

http://httpd.apache.org/docs-2.0/new_features_2_0.html

When upgrading or installing this version of Apache,please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs,you must
ensure that the modules (and the libraries they depend on)that you
will be using are thread-safe. Please contact thevendors of these
modules to obtain this information.

Apache 2.0.49 Major changes

Security vulnerabilities closed since Apache 2.0.48

*) SECURITY: CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listeningsockets where a short-lived
connection on a rarely-accessedlistening socket will cause a
child to hold the accept mutex andblock out new connections until
another connection arrives on thatrarely-accessed listening socket.
With Apache 2.x there is noperformance concern about enabling the
logic for platforms which don'tneed it, so it is enabled everywhere
except for Win32. [JeffTrawick]

*) SECURITY: CAN-2004-0113 (cve.mitre.org)
mod_ssl: Fix a memory leak inplain-HTTP-on-SSL-port handling.
PR 27106. [Joe Orton]

*) SECURITY: CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data beforewriting into the errorlog. Unescaped
errorlogs are still possible usingthe compile time switch
"-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young,André Malo]

Bugs fixed and features added since Apache 2.0.47

*) mod_cgid: Fix storage corruption caused by use ofincorrect pool.
[Jeff Trawick]

*) Win32: find_read_listeners was not correctlyhandling multiple
listeners on theWin32DisableAcceptEx path. [Bill Stoddard]

*) Fix bug in mod_usertrack when no CookieName isset. PR 24483.
[Manni Wood ]

*) Fix some piped log problems: bogus "piped logprogram '(null)'
failed" messages during restartand problem with the logger
respawning again after Apache isstopped. PR 21648, PR 24805.
[Jeff Trawick]

*) Fixed file extensions for real media files andremoved rpm extension
from mime.types. PR 26079. [Allan Sandfeld ]

*) Remove compile-time length limit on requeststrings. Length is
now enforced solely with theLimitRequestLine config directive.
[Paul J. Reder]

*) mod_ssl: Send the Close Alert message to the peerbefore closing
the SSL session. PR27428. [Madhusudan Mathihalli, Joe Orton]

*) mod_ssl: Fix bug in passphrase handling whichcould cause spurious
failures in SSL functionslater. PR 21160. [Joe Orton]

*) mod_log_config: Fix corruption of buffered logswith threaded
MPMs. PR 25520. [JeffTrawick]

*) Fix mod_include's expression parser to recognizestrings correctly
even if they start with an escapedtoken. [André Malo]

*) Add fatal exception hook for use by diagnosticmodules. The hook
is only available if the--enable-exception-hook configure parm
is used and theEnableExceptionHook directive has been set to
"on". [Jeff Trawick]

*) Allow mod_auth_digest to work with sub-requestswith different
methods than the originalrequest. PR 25040.
[Josh Dady ]

*) fix "Expected > but saw" errors in nested,
argumentless containers.
["Philippe M. Chiasson" ]

*) mod_auth_ldap: Fix some segfaults in the cachelogic. PR 18756.
[Matthieu Estrade , Brad Nicholes]

*) mod_cgid: Restart the cgid daemon if itcrashes. PR 19849
[Glenn Nielsen ]

*) The whole codebase was relicensed and is nowavailable under
the Apache License, Version 2.0(http://www.apache.org/licenses).
[Apache Software Foundation]

*) Fixed cache-removal order in mod_mem_cache.
[Jean-Jacques Clar, Cliff Woolley]

*) mod_setenvif: Fix the regex optimizer, whichunder circumstances
treated the supplied regex asliteral string. PR 24219.
[André Malo]

*) ap_mpm.h: Fix include guard of ap_mpm.h toreference mpm
instead of mmn.[André Malo]

*) mod_rewrite: Catch an edge case, where strangesubsequent RewriteRules
could lead to a 400 (Bad Request)response. [André Malo]

*) Keep focus of ITERATE and ITERATE2 on the currentmodule when
the module chooses to returnDECLINE_CMD for the directive.
PR 22299. [Geoffrey Young]

*) Add support for IMT minor-type wildcards (e.g.,text/*) to
ExpiresByType. PR#7991 [Ken Coar]

*) Fix segfault in mod_mem_cache cache_insert() dueto cache size
becoming negative. PR:21285, 21287
[Bill Stoddard, Massimo Torquati,Jean-Jacques Clar]

*) core.c: If large file support is enabled, allowany file that is
greater than AP_MAX_SENDFILE to besplit into multiple buckets.
This allows Apache to send filesthat are greater than 2gig.
Otherwise we run into 32/64 bittype mismatches in the file size.
[Brad Nicholes]

*) proxy_http fix: mod_proxy hangs when bothKeepAlive and
ProxyErrorOverride are enabled,and a non-200 response without a
body is generated by the backendserver. (e.g.: a client makes a
request containing the"If-Modified-Since" and "If-None-Match"
headers, to which the backendserver respond with status 304.)
[Graham Wiseman , Richard Reiner]

*) mod_dav: Reject requests which include anunescaped fragment in the
Request-URI. PR 21779. [Amit Athavale ]

*) Build array of allowed methods with properdimensions, fixing
possible memory corruption. [Jeff Trawick]

*) mod_ssl: Fix potential segfault on lookup ofSSL_SESSION_ID.
PR 15057. [Otmar Lendl]

*) mod_ssl: Fix streaming output from an nph- CGIscript. PR 21944
[Joe Orton]

*) mod_usertrack no longer inspects the Cookie2header for
the cookie name. PR 11475. [Chris Darrochi ]

*) mod_usertrack no longer overwrites other cookies.
PR 26002. [Scott Moore]

*) worker MPM: fix stack overlay bug that couldcause the parent
process to crash. [JeffTrawick]

*) Win32: Add Win32DisableAcceptEx directive. ThisWindows
NT/2000/XP directive is useful towork around bugs in some
third party layered serviceproviders like virus scanners,
VPN and firewall products, that donot properly handle
WinSock 2 APIs. Use thisdirective if your server is issuing
AcceptEx failed messages.
[Allan Edwards, Bill Rowe, BillStoddard, Jeff Trawick]

*) Make REMOTE_PORT variable available inmod_rewrite.
PR 25772. [André Malo]

*) Fix a long delay with CGI requests and keepaliveconnections on
AIX. [Jeff Trawick]

*) mod_autoindex: Add 'XHTML' option in order toallow switching between
HTML 3.2 and XHTML 1.0 output. PR23747. [André Malo]

*) Add XHTML Document Type Definitions to httpd.h(minor MMN bump).
[André Malo]

*) mod_ssl: Advertise SSL library version asdetermined at run-time rather
than at compile-time. PR23956. [Eric Seidel ]

*) mod_ssl: Fix segfault on a non-SSL request if the'c' log
format code is used. PR22741. [Gary E. Miller ]

*) Fix build with parallel make. PR24643. [Joe Orton]

*) mod_rewrite: In external rewrite maps lookup keyscontaining
a newline now cause a lookupfailure. PR 14453.
[Cedric Gavage , André Malo]

*) Backport major overhaul of mod_include's filterparser from 2.1.
The new parser code is expected tobe more robust and should
catch all of the edge cases thatwere not handled by the previous one.
The 2.1 external API changes werehidden by a wrapper which is
expected to keep the API backwardscompatible. [André Malo]

*) Add a hook (insert_error_filter) to allow filtersto re-insert
themselves during processing oferror responses. Enable mod_expires
to use the new hook to includeExpires headers in valid error
responses. This addresses an RFCviolation. It fixes PRs 19794,
24884, and 25123. [Paul J. Reder]

*) Add Polish translation of error messages. PR 25101.
[Tomasz Kepczynski ]

*) Add AP_MPMQ_MPM_STATE function code forap_mpm_query. (Not yet
supported for BeOS or OS/2MPMs.) [Jeff Trawick, Brad Nicholes,
Bill Stoddard]

*) Add mod_status hook to allow modules to add tothe mod_status
report. [Joe Orton]

*) Fix htdbm to generate comment fields in DBM filescorrectly.
[Justin Erenkrantz]

*) mod_dav: Use bucket brigades when reading PUTdata. This avoids
problems if the data stream ismodified by an input filter. PR 22104.
[Tim Robbins , André Malo]

*) Fix RewriteBase directive to not add doubleslashes. [André Malo]

*) Improve 'configure --help' output for somemodules. [Astrid KeÃler]

*) Correct UseCanonicalName Off to properly checkincoming port number.
[Jim Jagielski]

*) Fix slow graceful restarts with preforkMPM. [Joe Orton]

*) Fix a problem with namespace mappings beingdropped in mod_dav_fs;
if any property values were setwhich defined namespaces these
came out mangled in the PROPFINDresponse. PR 11637.
[Amit Athavale ]

*) mod_dav: Return a WWW-auth header for MOVE/COPYrequests where
the destination resource gives a401. PR 15571. [Joe Orton]

*) mod_autoindex / core: Don't fail to showfilenames containing
special characters like '%'. PR13598. [André Malo]

*) mod_status: Report total CPU time accurately whenusing a threaded
MPM. PR 23795. [JeffTrawick]

*) Fix memory leak in handling of request bodiesduring reverse
proxy operations. PR 24991.[Larry Toppi ]

*) Win32 MPM: Implement MaxMemFree to enable settingan upper
limit on the amount of storageused by the bucket brigades
in each server thread. [BillStoddard]

*) Modified the cache code to be header-locationagnostic. Also
fixed a number of other cache codebugs related to PR 15852.
Includes a patch submitted bySushma Rai .
This fixes mod_mem_cache but notmod_disk_cache yet so I'm not
closing the PR since that is whatthey are using. [Paul J. Reder]

*) complain via error_log when mod_include'sINCLUDES filter is
enabled, but the relevant Optionsflag allowing the filter to run
for the specific resource wasn'tset, so that the filter won't
silently get skipped. next removeitself, so the warning will be
logged only once [Stas Bekman,Jeff Trawick, Bill Rowe]

*) mod_info: HTML escape configuration informationso it displays
correctly. PR 24232. [Thom May]

*) Restore the ability to add a description fordirectories that
don't contain an index file. (Broken in 2.0.48) [André Malo]

*) Fix a problem with the display of empty variables("SetEnv foo") in
mod_include. PR 24734 [Markus Julen ]

*) mod_log_config: Log the minutes component of thetimezone correctly.
PR 23642. [Hong-Gunn Chew]

*) mod_proxy: Fix cases where an invalid status-linecould be sent
to the client. PR23998. [Joe Orton]

*) mod_ssl: Fix segfaults at startup if othermodules which use OpenSSL
are also loaded. [Joe Orton]

*) mod_ssl: Use human-readable OpenSSL error stringsin logs; use
thread-safe interface forretrieving error strings. [Joe Orton]

*) mod_expires: Initialize ExpiresDefault to NULLinstead of "" to
avoid reporting an Internal Servererror if it is used without
having been set in the httpd.conffile. PR: 23748, 24459
[Andre Malo, Liam Quinn
]

*) mod_autoindex: Don't omit the

starttag if the SuppressIcon
option is set. PR 21668. [Jesse Tie-Ten-Quee ]

*) mod_include no longer allows an ETag header on304 responses.
PR 19355. [Geoffrey Young, André Malo]

*) EBCDIC: Convert header fields to ASCII beforesending (broken
since 2.0.44). [Martin Kraemer]

*) Fix the inability to log errors like exec failurein
mod_ext_filter/mod_cgi scriptchildren. This was broken after
such children stopped inheritingthe error log handle.
[Jeff Trawick]

*) Fix mod_info to use the real config file name,not the default
config file name. [AryehKatz ]

*) Set the scoreboard state to indicate loggingprior to running
logging hooks so thatserver-status will show 'L' for hung loggers
instead of 'W'. [JeffTrawick]