Apache Updates HTTP Servers

New versions of both branches of the Apache Software Foundation’s (ASF) HTTP Web server are now available.

Apache HTTP Server 1.3.34 and Apache HTTP Server 2.0.55 are both principally security and bug fix releases.

The Apache 1.3.34 release addresses two potential security issues. A TraceEnable per server directive has been added and a change made to the code to remove Content-Length headers when a request includes both Transfer-Encoding and Content-Length headers which could potentially lead to a HTTP Request Splitting/Spoofing attack.

Apache 2.0.55 addresses six security issues, three of which are related to HTTP Request and Response Splitting/Spoofing attacks.

Other fixes include: CVE designated issue CAN-2005-2491 which involves an issue with integer overflows. CAN-2005-2728 deals with cases, ” where the byterange filter would buffer responses into memory.”

CAN-2005-1268 is a flaw with mod_ssl which could have triggered an overflow condition.

Apache’s HTTP Web server is considered one of the most successful open source projects; it dominates the Web serving market. For example, the October 2005, Netcraft Web server survey reported that Apache Web servers currently power 52 million Web sites and commands a 70 percent market share.

The latest release comes nearly a year since Apache HTTP Server 1.3.33 was released, which was one of the fastest point releases in recent memory, following its predecessor 1.3.32 by less than a week.

News Around the Web