Apache 2.0.43 was released late last week. This sixth release of version 2.0 is a security, bug fix, and minor upgrade release.
It replaces v2.0.42, which was released on September 24.
Apache 2.0.43 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site. Due to security issues, any sites using versions prior to Apache 2.0.43 should upgrade to Apache 2.0.43.
The release fixes a security problem described in CAN-2002-0840 on cve.mitre.org. It also fixes some bugs from 2.0.42 (and earlier) as well as adding some additional capability. The Apache Software Foundation urges all users of Apache 2.0.42 and prior to upgrade as soon as possible.
Apache 2.0 add-in modules are not compatible with modules written or compiled for Apache 1.3. Users running third-party add-in modules will need to obtain new modules written for Apache 2.0 from that third party before attempting to upgrade from Apache 1.3.
Note: the -win32-src.zip versions of Apache are nearly identical to the .tar.gz versions. However, they offer the source files in DOS/Windows CR/LF text format, and include the Win32 build files. These -win32-src.zip files do NOT contain binaries. See the binaries/win32/ directory for the Windows binary distributions.
Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other Web page visitors via the Host: header.
In Apache 2.0.42, for a location where both WebDAV and CGI were enabled, a POST request to a CGI script would reveal the CGI source to a remote user. This issue does not affect any versions of Apache 2.0 other than 2.0.42.
Security Vulnerabilities Closed Since Apache 2.0.42
- Fixed the security vulnerability noted in CAN-2002-0840 (cve.mitre.org) regarding a cross-site scripting vulnerability in the default error page when using wildcard DNS
- Prevents POST requests for CGI scripts from serving the source code when DAV is enabled on the location.
Bugs Fixed Since Apache 2.0.42
- Fixed a core dump in mod_cache when it attemtped to store uncopyable buckets, such as a file containing SSI tags to execute a CGI script
- Ensured that output already available is flushed to the network to help some streaming CGIs and other dynamically generated content
- Fixed a mutex problem in mod_ssl dbm session cache support
- Allow the UserDir directive to accept a list of directories, as in 1.3
- Changed SuExec to use the same default directory as the rest of the server, e.g., /usr/local/apache2
- Retry connections with mod_auth_ldap on LDAP_SERVER_DOWN errors
- Pass the WWW-Authenticate header on a 4xx responses from the proxy
- Fixed mod_cache's CacheMaxStreamingBuffer directive within virtual hosts
- Add -p option to apxs to allow programs to be compiled with apxs