2010年3月 7日

[installer 2273] apache-2.2.15

apache-2.2.15 が出ています。

複数のセキュリティホールの修正が含まれています。

☆ apache-2.2.15
http://httpd.apache.org/
http://www.apache.org/dist/httpd/httpd-2.2.15.tar.gz

Changes with Apache 2.2.15

*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
by rejecting any client-initiated renegotiations. Forcibly disable
keepalive for the connection if there is any buffered data readable. Any
configuration which requires renegotiation for per-directory/location
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]

*) SECURITY: CVE-2010-0408 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
when request headers indicate a request body is incoming; not a case of
HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]

*) SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]

*) Ensure each subrequest has a shallow copy of headers_in so that the
parent request headers are not corrupted. Elimiates a problematic
optimization in the case of no request body. PR 48359
[Jake Scott, William Rowe, Ruediger Pluem]

*) mod_reqtimeout: New module to set timeouts and minimum data rates for
receiving requests from the client. [Stefan Fritsch]

*) mod_proxy_ajp: Really regard the operation a success, when the client
aborted the connection. In addition adjust the log message if the client
aborted the connection. [Ruediger Pluem]

*) mod_negotiation: Preserve query string over multiviews negotiation.
This buglet was fixed for type maps in 2.2.6, but the same issue
affected multiviews and was overlooked.
PR 33112 [Joergen Thomsen <apache jth.net>]

*) mod_cache: Introduce the thundering herd lock, a mechanism to keep
the flood of requests at bay that strike a backend webserver as
a cached entity goes stale. [Graham Leggett]

*) mod_proxy_http: Make sure that when an ErrorDocument is served
from a reverse proxied URL, that the subrequest respects the status
of the original request. This brings the behaviour of proxy_handler
in line with default_handler. PR 47106. [Graham Leggett]

*) mod_log_config: Add the R option to log the handler used within the
request. [Christian Folini <christian.folini netnea com>]

*) mod_include: Allow fine control over the removal of Last-Modified and
ETag headers within the INCLUDES filter, making it possible to cache
responses if desired. Fix the default value of the SSIAccessEnable
directive. [Graham Leggett]

*) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
allows insecure renegotiation with clients which do not yet
support the secure renegotiation protocol. [Joe Orton]

*) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
is configured for client cert auth. PR 46952. [Joe Orton]

*) core: Fix potential memory leaks by making sure to not destroy
bucket brigades that have been created by earlier filters.
[Stefan Fritsch]

*) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
try other providers in the case of an LDAP bind failure.
PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]

*) mod_proxy, mod_proxy_http: Support remote https proxies
by using HTTP CONNECT.
PR 19188. [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]

*) worker: Don't report server has reached MaxClients until it has.
Add message when server gets within MinSpareThreads of MaxClients.
PR 46996. [Dan Poirier]

*) mod_ssl: When extracting certificate subject/issuer names to the
SSL_*_DN_* variables, handle RDNs with duplicate tags by
exporting multiple varialables with an "_n" integer suffix.
PR 45875. [Joe Orton, Peter Sylvester <peter.sylvester edelweb.fr>]

*) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
password now result in an informational level log entry instead of
warning level. [Eric Covener]

*) core: Preserve Port information over internal redirects
PR 35999 [Jonas Ringh <jonas.ringh cixit.se>]

*) mod_filter: fix FilterProvider matching where "dispatch" string
doesn't exist.
PR 48054 [<tietw gmail.com>]

*) Build: fix --with-module to work as documented
PR 43881 [Gez Saunders <gez.saunders virgin.net>]

*) mod_mime: Make RemoveType override the info from TypesConfig.
PR 38330. [Stefan Fritsch]

*) mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
rather than BAD_GATEWAY or (especially) NOT_FOUND.
PR 46971 [evanc nortel.com]

*) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
[Eric Covener]

*) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
some cache entries and log a warning. Also increase the default
LDAPSharedCacheSize to 500000. This is a more realistic size suitable
for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
PR 46749. [Stefan Fritsch]

*) mod_disk_cache, mod_mem_cache: don't cache incomplete responses,
per RFC 2616, 13.8. PR15866. [Dan Poirier]

*) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
the request is a CONNECT request. PR 47928
[Bill Zajac <billz consultla.com>]

*) mod_cache: correctly consider s-maxage in cacheability
decisions. [Dan Poirier]

*) core: Return APR_EOF if request body is shorter than the length announced
by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]

投稿者 xml-rpc : 2010年3月 7日 08:48
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/93908
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。