sdk-apache2Recommended update for Apache 2Recommended update for Apache 2This update brings the Apache HTTP server to version 2.2.3.
This version of Apache is principally primary a bug and
security fix release.
It provides a substantial number of
important bug fixes which were added after
the 2.2.0
release. (The security issues had been addressed by
previous Novell
maintenance updates.)
In addition, the package enables the fatal exception hook
for use by
diagnostic modules, contains documentation
updates, and fixes a small buglet in
the
apache-20-22-upgrade script (mod_image_map ->
mod_imagemap).
The full list of changes (from
http://www.apache.org/dist/httpd/CHANGES_2.2)
is as
follows below, with problem report (PR) numbers referencing
to
http://issues.apache.org/bugzilla/.
Changelog of 2.2.3:
SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix
an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a
pointer being
written out of bounds. Reported by Mark
Dowd of McAfee.
mod_authn_alias: Add a check to make sure
that the base provider and the
alias names are different
and also that the alias has not been registered
before. PR
40051.
mod_authnz_ldap: Fix a problem with invalid auth
error detection for LDAP
client SDKs that don't support
the LDAP_SECURITY_ERROR macro. PR 39529.
mod_autoindex:
Fix filename escaping with FancyIndexing disabled.
PR
38910.
mod_cache:
- Make caching of reverse SSL proxies possible again. PR
39593. [#202702]
- Do not overwrite the Content-Type in the cache, for
successfully revalidated cached objects. PR 39647.
mod_charset_lite: Bypass translation when the source and
dest charsets
are the same.
mod_dbd: Fix dependence on
virtualhost configuration in
defining prepared
statements (possible segfault at startup
in user modules
such as mod_authn_dbd).
mod_mem_cache: Set content type
correctly when delivering data from
cache. PR 39266.
mod_speling: Add directive to deal with case corrections
only
and ignore other misspellings
miscellaneous:
- Add optional 'scheme://' prefix to ServerName
directive,
allowing correct determination of the
canonical server URL
for use behind a proxy or offload
device handling SSL;
fixing redirect generation in
those cases. PR 33398.
- Added server_scheme field to server_rec for above. Minor
MMN bump.
- Worker MPM: On graceless shutdown or restart, send
signals
to each worker thread to wake them up if
they're polling on
a Keep-Alive connection. PR 38737.
- worker and event MPMs: fix excessive forking if fork()
or
child_init take a long time. PR 39275.
- Respect GracefulShutdownTimeout in the worker and event
MPMs.
- configure: Add "--with-included-apr" flag to force use
of
the bundled version of APR at build time.
Changelog of 2.2.1 and 2.2.2:
SECURITY: CVE-2005-3357 (cve.mitre.org)
mod_ssl: Fix a
possible crash during access control checks
if a non-SSL
request is processed for an SSL vhost (such as
the "HTTP
request received on SSL port" error message when
an 400
ErrorDocument is configured, or if using "SSLEngine
optional"). PR 37791.
SECURITY: CVE-2005-3352
(cve.mitre.org)
mod_imagemap: Escape untrusted referer
header before
outputting in HTML to avoid potential
cross-site scripting.
Change also made to ap_escape_html
so we escape quotes.
Reported by JPCERT.
mod_cache:
- Make caching of reverse proxies possible again. PR
38017.
mod_disk_cache:
- Return the correct error codes from bucket read
failures,
instead of APR_EGENERAL.
mod_dbd:
- Update defaults, improve error reporting.
- Create own pool and mutex to avoid problem use of
process
pool in request processing.
mod_deflate:
- work correctly in an internal redirect
mod_proxy:
- don't reuse a connection that may be to the wrong
backend PR 39253
- Do not release connections from connection pool twice.
PR 38793.
- Fix KeepAlives not being allowed and set to backend
servers. PR 38602.
- Fix incorrect usage of local and shared worker init. PR
38403.
- If we get an error reading the upstream response, close
the
connection.
mod_proxy_balancer:
- Initialize members of a balancer correctly. PR 38227.
mod_proxy_ajp:
- Flushing of the output after each AJP chunk is now
configurable at runtime via the 'flushpackets' and
'flushwait'
worker params. Minor MMN bump.
- Crosscheck the length of the body chunk with the length
of the
ajp message to prevent mod_proxy_ajp from
reading beyond the
buffer boundaries and thus revealing
possibly sensitive memory
contents to the client.
- Support common headers of the AJP protocol in
responses. PR 38340.
mod_proxy_http:
- Do send keep-alive header if the client sent
connection:
keep-alive and do not close backend
connection if the client
sent connection: close. PR
38524.
mod_proxy_balancer:
- Do not overwrite the status of initialized workers and
respect
the configured status of uninitilized workers
when creating a
new child process.
- Fix off-by-one error in proxy_balancer. PR 37753.
mod_speling:
- Stop crashing with certain non-file requests.
mod_ssl:
- Fix possible crashes in shmcb with gcc 4 on platforms
requiring word-aligned pointers. PR 38838.
miscellaneous:
- core: Prevent reading uninitialized memory while reading
a line of
protocol input. PR 39282.
- core: Reject invalid Expect header immediately. PR
38123.
- Default handler: Don't return output filter apr_status_t
values.
PR 31759.
- Add APR/APR-Util Compiled and Runtime Version numbers to
the
output of 'httpd -V'.
- http: If a connection is aborted while waiting for a
chunked line,
flag the connection as errored out.
- Don't hang on error return from post_read_request. PR
37790.
- Fix mis-shifted 32 bit scope, masked to 64 bits as a
method.
- Fix recursive ErrorDocument handling. PR 36090.
- Ensure that the proper status line is written to the
client, fixing
incorrect status lines caused by filters
which modify r->status without
resetting
r->status_line, such as the built-in byterange filter.
- HTML-escape the Expect error message. Not classed as
security as
an attacker has no way to influence the
Expect header a victim will
send to a target site.
- Chunk filter: Fix chunk filter to create correct chunks
in the case that
a flush bucket is surrounded by data
buckets.
- Avoid Server-driven negotiation when a script has
emitted an
explicit Status: header. PR 38070.
- htdbm: Fix crash processing -d option in 64-bit mode on
HP-UX.
- htdbm: Warn the user when adding a plaintext password on
a platform
where it wouldn't work with the server
(i.e., anywhere that has
crypt()).
This update brings the Apache HTTP server to version 2.2.3.
This version of Apache is principally primary a bug and
security fix release.
It provides a substantial number of
important bug fixes which were added after
the 2.2.0
release. (The security issues had been addressed by
previous Novell
maintenance updates.)
In addition, the package enables the fatal exception hook
for use by
diagnostic modules, contains documentation
updates, and fixes a small buglet in
the
apache-20-22-upgrade script (mod_image_map ->
mod_imagemap).
The full list of changes (from
http://www.apache.org/dist/httpd/CHANGES_2.2)
is as
follows below, with problem report (PR) numbers referencing
to
http://issues.apache.org/bugzilla/.
Changelog of 2.2.3:
SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix
an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a
pointer being
written out of bounds. Reported by Mark
Dowd of McAfee.
mod_authn_alias: Add a check to make sure
that the base provider and the
alias names are different
and also that the alias has not been registered
before. PR
40051.
mod_authnz_ldap: Fix a problem with invalid auth
error detection for LDAP
client SDKs that don't support
the LDAP_SECURITY_ERROR macro. PR 39529.
mod_autoindex:
Fix filename escaping with FancyIndexing disabled.
PR
38910.
mod_cache:
- Make caching of reverse SSL proxies possible again. PR
39593. [#202702]
- Do not overwrite the Content-Type in the cache, for
successfully revalidated cached objects. PR 39647.
mod_charset_lite: Bypass translation when the source and
dest charsets
are the same.
mod_dbd: Fix dependence on
virtualhost configuration in
defining prepared
statements (possible segfault at startup
in user modules
such as mod_authn_dbd).
mod_mem_cache: Set content type
correctly when delivering data from
cache. PR 39266.
mod_speling: Add directive to deal with case corrections
only
and ignore other misspellings
miscellaneous:
- Add optional 'scheme://' prefix to ServerName
directive,
allowing correct determination of the
canonical server URL
for use behind a proxy or offload
device handling SSL;
fixing redirect generation in
those cases. PR 33398.
- Added server_scheme field to server_rec for above. Minor
MMN bump.
- Worker MPM: On graceless shutdown or restart, send
signals
to each worker thread to wake them up if
they're polling on
a Keep-Alive connection. PR 38737.
- worker and event MPMs: fix excessive forking if fork()
or
child_init take a long time. PR 39275.
- Respect GracefulShutdownTimeout in the worker and event
MPMs.
- configure: Add "--with-included-apr" flag to force use
of
the bundled version of APR at build time.
Changelog of 2.2.1 and 2.2.2:
SECURITY: CVE-2005-3357 (cve.mitre.org)
mod_ssl: Fix a
possible crash during access control checks
if a non-SSL
request is processed for an SSL vhost (such as
the "HTTP
request received on SSL port" error message when
an 400
ErrorDocument is configured, or if using "SSLEngine
optional"). PR 37791.
SECURITY: CVE-2005-3352
(cve.mitre.org)
mod_imagemap: Escape untrusted referer
header before
outputting in HTML to avoid potential
cross-site scripting.
Change also made to ap_escape_html
so we escape quotes.
Reported by JPCERT.
mod_cache:
- Make caching of reverse proxies possible again. PR
38017.
mod_disk_cache:
- Return the correct error codes from bucket read
failures,
instead of APR_EGENERAL.
mod_dbd:
- Update defaults, improve error reporting.
- Create own pool and mutex to avoid problem use of
process
pool in request processing.
mod_deflate:
- work correctly in an internal redirect
mod_proxy:
- don't reuse a connection that may be to the wrong
backend PR 39253
- Do not release connections from connection pool twice.
PR 38793.
- Fix KeepAlives not being allowed and set to backend
servers. PR 38602.
- Fix incorrect usage of local and shared worker init. PR
38403.
- If we get an error reading the upstream response, close
the
connection.
mod_proxy_balancer:
- Initialize members of a balancer correctly. PR 38227.
mod_proxy_ajp:
- Flushing of the output after each AJP chunk is now
configurable at runtime via the 'flushpackets' and
'flushwait'
worker params. Minor MMN bump.
- Crosscheck the length of the body chunk with the length
of the
ajp message to prevent mod_proxy_ajp from
reading beyond the
buffer boundaries and thus revealing
possibly sensitive memory
contents to the client.
- Support common headers of the AJP protocol in
responses. PR 38340.
mod_proxy_http:
- Do send keep-alive header if the client sent
connection:
keep-alive and do not close backend
connection if the client
sent connection: close. PR
38524.
mod_proxy_balancer:
- Do not overwrite the status of initialized workers and
respect
the configured status of uninitilized workers
when creating a
new child process.
- Fix off-by-one error in proxy_balancer. PR 37753.
mod_speling:
- Stop crashing with certain non-file requests.
mod_ssl:
- Fix possible crashes in shmcb with gcc 4 on platforms
requiring word-aligned pointers. PR 38838.
miscellaneous:
- core: Prevent reading uninitialized memory while reading
a line of
protocol input. PR 39282.
- core: Reject invalid Expect header immediately. PR
38123.
- Default handler: Don't return output filter apr_status_t
values.
PR 31759.
- Add APR/APR-Util Compiled and Runtime Version numbers to
the
output of 'httpd -V'.
- http: If a connection is aborted while waiting for a
chunked line,
flag the connection as errored out.
- Don't hang on error return from post_read_request. PR
37790.
- Fix mis-shifted 32 bit scope, masked to 64 bits as a
method.
- Fix recursive ErrorDocument handling. PR 36090.
- Ensure that the proper status line is written to the
client, fixing
incorrect status lines caused by filters
which modify r->status without
resetting
r->status_line, such as the built-in byterange filter.
- HTML-escape the Expect error message. Not classed as
security as
an attacker has no way to influence the
Expect header a victim will
send to a target site.
- Chunk filter: Fix chunk filter to create correct chunks
in the case that
a flush bucket is surrounded by data
buckets.
- Avoid Server-driven negotiation when a script has
emitted an
explicit Status: header. PR 38070.
- htdbm: Fix crash processing -d option in 64-bit mode on
HP-UX.
- htdbm: Warn the user when adding a plaintext password on
a platform
where it wouldn't work with the server
(i.e., anywhere that has
crypt()).
recommendedapache2x86_6465131010871a2209b4fbb0e3a7017b16292ba7f1apache2-develx86_648aace0eee32620e476c0eabf1dd637b526e8c3d4apache2-preforkx86_647a31f982fbb2739a8813d1b7d295a9f0d4703941apache2-workerx86_6485786b9dc509f2b5a51e2b4b7d1428fb7bf6e896