The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the eighth public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.45 as compared to 2.0.44. OS2 users; note that Apache 2.0 versions *including* 2.0.45 still have a Denial of Service vulnerability that was identified and reported by Robert Howard that will fixed with the release of 2.0.46, but is too important to delay announcement today. The patch http://cvs.apache.org/viewcvs/apr/file_io/os2/filestat.c.diff?r1=1.34&r2=1.35 must be applied before building on OS2. This patch will already be applied to all OS2 binaries released for Apache 2.0.45. [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0134] This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.45 addresses two security vulnerabilities, both affecting all platforms. Prior Apache 2.0 versions through 2.0.44 had a significant Denial of Service vulnerability that was identified and reported by David Endler <[email protected]>, and fixed with this release. The specific details of this issue will be published by David Endler one week from this release, on April 8th [this is the correct, revised date]. No more specific information is disclosed at this time, but all Apache 2.0 users are encouraged to upgrade now. [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132] This release eliminated leaks of several file descriptors to child processes, such as CGI scripts, which could consitute a security threat on servers that run untrusted CGI scripts. This issue was identified, reported and addressed by Christian Kratzer <[email protected]> and Bjoern A. Zeeb <[email protected]>. The Apache Software Foundation would like to thank David Endler, Christian Kratzer, Bjoern Zeeb and Robert Howard for the responsible reporting of these issues. Apache 2.0.42 and later releases mark a change in the Apache release process, and a new level of stability in the 2.0 series. With the release of Apache 2.0.42, we will make every effort to retain forward compatibility so that upgrading along the 2.0 series should be much easier. This compatibility extends from Apache release 2.0.42, so users of that version or later should be able to upgrade without changing configurations or updating DSO modules. (Users of earlier releases will need to recompile all modules in order to upgrade to 2.0.42 or later versions.) We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade. Apache 2.0.45 is available for download from http://httpd.apache.org/download.cgi Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see http://httpd.apache.org/docs-2.0/new_features_2_0.html When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information. Apache 2.0.45 Major changes Security vulnerabilities closed since Apache 2.0.44 SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability identified by David Endler on all platforms. Details embargoed until their announcement on 7 April 2003. SECURITY: Eliminated leaks of several file descriptors to child processes, such as CGI scripts. This fix depends on the latest APR library release 0.9.2, which is distributed with the httpd source tarball for Apache 2.0.45. PR 17206 [Christian Kratzer , Bjoern A. Zeeb ] Bugs fixed and features added since Apache 2.0.44 Prevent endless loops of internal redirects in mod_rewrite by aborting after exceeding a limit of internal redirects. The limit defaults to 10 and can be changed using the RewriteOptions directive. PR 17462. Configurable compression level for mod_deflate. Allow SSLMutex to select/use the full range of APR locking mechanisms available to it (e.g. same choices as AcceptMutex.) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot be started on Unix because of such problems as bad permissions, bad shebang line, etc. Try to log an error if a piped log program fails and try to restart a piped log program in more failure situations. Added support for mod_auth_LDAP, with a new AuthLDAPCharsetConfig directive, to convert extended characters in the user ID to UTF-8, before authenticating against the LDAP directory. No longer removes the Content-Length from responses via mod_proxy. Enhance mod_isapi's WriteClient() callback to provide better emulation for isapi extensions that use the first WriteClient() to send status and headers, such as the foxisapi module. Win32: Avoid busy wait (consuming all the CPU idle cycles) when all worker threads are busy. Introduced .pdb debugging symbols for Win32 release builds. Fixed piped access logs on Win32. Fix path handling of mod_rewrite, especially on non-unix systems. There was some confusion between local paths and URL paths. Added an rpm build script.
I'll be upgrading my servers soon enough. I didnt bother readin it all, but its looking good. The current one is very stable, and i'm more than happy with it.
Main thing is it closes 2 exploits which could be used for DoS attacks, aside from that I don't think there's much new in it.
