ASF Releases Apache 2.0.47, Addresses Four Security Vulnerabilities

by ServerWatch Staff

The Apache Software Foundation and the Apache HTTP Server Project Wednesday released version 2.0.47 of the Apache Web Server. This latest version addresses four security vulnerabilities and fixes a number of bugs.

The Apache Software Foundation and the Apache HTTP Server Project Wednesday released the tenth iteration of the Apache 2.0 Web Server, version 2.0.47.

This latest version is primarily a security and bug fix release that addresses four security vulnerabilities:

  • Certain sequences of per-directory renegotiations and the SSLCipherSuite directive were being used to upgrade from a weak ciphersuite to a strong one and could result in the weak ciphersuite being used in place of the strong one
  • Certain errors returned by accept() on rarely accessed ports could cause a temporal denial of service, due to a bug in the prefork MPM
  • Denial of service could occur when the target host is IPv6 but the FTP proxy server cannot create IPv6 socket
  • The server could crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests

Also new in 2.0.47 is support for "streamy" PROPFIND responses; the elimination of a double-close of a socket, which resolves various operational problems in a threaded MPM; a "prefer-language" environment variable, which allows the server to influence the negotiation process on request basis to prefer a certain language. In addition, the core_output_filter no longer splits the brigade after a FLUSH bucket if it's the last bucket, and Make mod_expires' ExpiresByType now works properly.

As is the case with Apache releases since version 2.0.42, this release is compatible with modules compiled for 2.0.42 and later versions.

Apache 2.0.47 is available for download from http://httpd.apache.org/download.cgi.

This article was originally published on Wednesday Jul 9th 2003
Mobile Site | Full Site