RealTime IT News

Apache Upgrade Fixes Windows Bugs

One of the world's most widely used server software programs Monday got an upgrade to fix some serious problems found in three versions of Microsoft Windows.

Volunteers with the Apache Software Foundation and the Apache HTTP Server Project released Apache 2.0 HTTP Server version 2.0.44 primarily as a security and bug fix over its previous incarnation as version 2.0.43.

This is the seventh public release of the server operating system and is considered by the organization to be "the best version of Apache available." The software is now available for download from the Web site.

Among the problems found by Apache-watchers Matthew Murphy and Lionel Brits:

* VU#979793 addresses versions of Windows 9x and Me, which could be crashed by a malicious request to Apache that contains a MS-DOS device name. The patch is available from Microsoft, but Apache 2.0.44 includes the correct filters even if the Microsoft update is not applied.

* VU#825177 builds on VU#979793, as a remote attacker can run arbitrary code on a server running Apache under Windows 9x and Me by sending a carefully crafted POST request containing a MS-DOS device name.

* On Windows platforms, Apache could be forced to serve unexpected files by appending illegal characters such as "<" to the request URL.

The Apache release team also says the 2.0.44 version marks a change in the Apache release process and, "a new level of stability in the 2.0 series."

"Beginning with this release, we will make every effort to retain forward compatibility in the configuration and module API, so that upgrading along the 2.0 series should be much easier," the team said in a statement. "This compatibility extends backwards to 2.0.42, so users of that version or later should be able to upgrade without changing configurations or updating DSO modules."

The Foundation says people using earlier releases will need to recompile all modules in order to upgrade to 2.0.44.

In all there are 51 bugs fixed and features added beyond 2.0.43. The Apache Group says 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase including some of the following:
* mod_autoindex: Bring forward the IndexOptions IgnoreCase option from Apache 1.3. PR 14276
* mod_mime: Workaround to prevent a segfault if r->filename=NULL
* Reorder the definitions for mod_ldap and mod_auth_ldap within config.m4 to make sure the parent mod_ldap is defined first. This ensures that mod_ldap comes before mod_auth_ldap in the httpd.conf file, which is necessary for mod_auth_ldap to load. PR 14256
* Fix the building of cgi command lines when the query string contains '='. PR 13914
* Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move implementation of MCacheMaxStreamingBuffer from mod_cache to mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should eliminate the need for explicitly coding McacheMaxStreamingBuffer in most configurations.
* Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL as set by apr-util in util_ldap.c. This should allow mod_ldap to work with the Netscape/Mozilla LDAP library.
* Fix critical bug in new --enable-v4-mapped configure option implementation which broke IPv4 listening sockets on some systems.

The Foundation says if you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe.