Apache Fixes Bugs in Server Upgrade | Internet News
Developer
SHARE
Facebook X Pinterest WhatsApp

Apache Fixes Bugs in Server Upgrade

Written By
Ryan Naraine
Ryan Naraine
Oct 4, 2002
1 minute read

The Apache Software Foundation and The Apache Server Project on Thursday
released Version 1.3.27 of its popular Web server software, an upgrade that
includes fixes to three security vulnerabilities.

The new Apache HTTP server (download new version here) was
described as principally a security and bug-fix release. It plugs a hole
that exists in all versions of Apache prior to 1.3.27 on platforms using
System V shared memory based scoreboards.

That vulnerability allows an attacker to execute code under the Apache UID
to exploit the Apache shared memory scoreboard format and send a signal to
any process as root or cause a local denial-of-service attack.

Another bug that made Apache susceptible to a cross site scripting
vulnerability in the default 404 page of any Web server hosted on a domain
that allows wildcard DNS lookups was also secure.

The Apache Foundation said some possible overflows in ab.c, which could be
exploited by a malicious server, were also fixed. The new server release also includes new features that offer “substantial
improvements” over version 1.2, the Apache Foundation said, upgrades that
include better performance, reliability and an expansion of supported
platforms, including Windows NT and 2000 (which fall under the “Win32”
label), OS2, Netware, and TPE threaded platforms.

It has been fitted with a new ErrorHeader directive and configuration file
globbing that can now use simple pattern matching. Apache has also made the
protocol version (eg: HTTP/1.1) in the request line parsing
case-insensitive, a key upgrade over previous versions.

Other highlights include:

  • ap_snprintf() can now distinguish between an output which was
    truncated, and an output which exactly filled the buffer.

  • Add ProtocolReqCheck directive, which determines if Apache will check
    for a valid protocol string in the request (eg: HTTP/1.1) and return
    HTTP_BAD_REQUEST if not valid. Versions of Apache prior to 1.3.26 would
    silently ignore bad protocol strings, but 1.3.26 included a more strict
    check. This makes it runtime configurable.
  • Added support for Berkeley-DB/4.x to mod_auth_db.

  • httpd -V will now also print out the compile time defined
    HARD_SERVER_LIMIT value.

    • On specific platforms, new features in the upgrade include support for
    Caldera OpenUNIX 8 and the ability to use SysV semaphores by default on
    OpenBSD. It also implements file locking in mod_rewrite for the NetWare
    CLib platform.

    The Foundation said several minor bugs found in Apache 1.3.26 (or earlier),
    including mod_proxy fixes, have been included in Apache 1.3.27.

    Separately, the Jakarta Ant-Dev has released Version 1.5.1 of Apache Ant, a
    Java-based build tool that allows full portability of pure Java code. (Download
    new version here    . The Jakarta Ant-Dev upgrade also fixes several bugs in
    older versions.
    Ryan Naraine
    Internet News Logo

    InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

    facebook
    x

    Company

    Contact us Advertise with us

    Categories

    News Enterprise Small Business Reviews Podcasts Blog Research

    Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

    Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

    Terms of Service Privacy Policy California - Do Not Sell My Information