Apache 2.0.44 released

By   |  January 22, 2003

Apache 2.0.44 released

The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the seventh public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.44 as compared to 2.0.43.

This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.44 addresses three security vulnerabilities affecting the Windows platform.

VU#979793[1] Versions of Windows 9x and Me could be crashed by a malicious request to Apache that contains a MS-DOS device name. This is a known security issues in Microsoft Windows for a which a fix is available: http://www.microsoft.com/technet/Security/Bulletin/ms00-017.asp

Apache 2.0.44 has also been patched to correctly filter MS-DOS device names preventing the crash even if the Microsoft update is not applied (cve.mitre.org:

CAN-2003-0016
).

VU#825177[2] As a consequence of VU#979793, a remote attacker can run arbitrary code on a server running Apache under Windows 9x and Me by sending a carefully crafted POST request containing a MS-DOS device name (cve.mitre.org: CAN-2003-0016).

On Windows platforms Apache could be forced to serve unexpected files by appending illegal characters such as ‘<' to the request URL (cve.mitre.org: CAN-2003-0017).

The Apache Software Foundation would like to thank Matthew Murphy and Lionel Brits for the responsible reporting of these issues.

The 2.0.44 release marks a change in the Apache release process and a new level of stability in the 2.0 series. Beginning with this release, we will make every effort to retain forward compatibility in the configuration and module API, so that upgrading along the 2.0 series should be much easier. This compatibility extends backwards to 2.0.42, so users of that version or later should be able to upgrade without changing configurations or updating DSO modules. (Users of earlier releases will need to recompile all modules in order to upgrade to 2.0.44.)

We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade.

Apache 2.0.44 is available for download from



http://httpd.apache.org/download.cgi

Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.

Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see



http://httpd.apache.org/docs-2.0/new_features_2_0.html

When upgrading or installing this version of Apache, please keep in mind the following:

If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information.

More at Apache announcement.

Comments

Comments are closed