Apache HTTP Server 2.2.22 发布

发布于 2012年01月31日
收藏 3



Changes with Apache 2.2.22

  *) SECURITY: CVE-2011-3368 (cve.mitre.org)
     Reject requests where the request-URI does not match the HTTP
     specification, preventing unexpected expansion of target URLs in
     some reverse proxy configurations.  [Joe Orton]

  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
     is enabled, could allow local users to gain privileges via a .htaccess
     file. [Stefan Fritsch, Greg Ames]

  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
     Resolve additional cases of URL rewriting with ProxyPassMatch or
     RewriteRule, where particular request-URIs could result in undesired
     backend network exposure in some configurations.
     [Joe Orton]

  *) SECURITY: CVE-2012-0021 (cve.mitre.org)
     mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
     string is in use and a client sends a nameless, valueless cookie, causing
     a denial of service. The issue existed since version 2.2.17. PR 52256.
     [Rainer Canavan <rainer-apache 7val com>]

  *) SECURITY: CVE-2012-0031 (cve.mitre.org)
     Fix scoreboard issue which could allow an unprivileged child process 
     could cause the parent to crash at shutdown rather than terminate 
     cleanly.  [Joe Orton]

  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
     Fix an issue in error responses that could expose "httpOnly" cookies
     when no custom ErrorDocument is specified for status code 400.
     [Eric Covener]

  *) mod_proxy_ajp: Try to prevent a single long request from marking a worker
     in error. [Jean-Frederic Clere]

  *) config: Update the default mod_ssl configuration: Disable SSLv2, only
     allow >= 128bit ciphers, add commented example for speed optimized cipher
     list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]

  *) core: Fix segfault in ap_send_interim_response(). PR 52315.
     [Stefan Fritsch]

  *) mod_log_config: Prevent segfault. PR 50861. [Torsten F锟絩tsch
     <torsten.foertsch gmx.net>]

  *) mod_win32: Invert logic for env var UTF-8 fixing.
     Now we exclude a list of vars which we know for sure they dont hold UTF-8
     chars; all other vars will be fixed. This has the benefit that now also
     all vars from 3rd-party modules will be fixed. PR 13029 / 34985.
     [Guenter Knauf]

  *) core: Fix hook sorting for Perl modules, a regression introduced in
     2.2.21. PR: 45076. [Torsten Foertsch <torsten foertsch gmx net>]

  *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
     A range of '0-' will now return 206 instead of 200. PR 51878.
     [Jim Jagielski]

  *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
     of "0").  [Rainer Jung]

  *) mod_substitute: Fix buffer overrun.  [Ruediger Pluem, Rainer Jung]
转载请注明:文章转载自 OSCHINA 社区 [http://www.oschina.net]
本文标题:Apache HTTP Server 2.2.22 发布