Android linux命令 HTML5 Python Firefox wordpress 开源 java nginx 微软 google Ubuntu 程序员 mysql centos php apache Windows linux shell

HTTP服务器,Apache HTTP Server 2.4.0 发布

Apache 现在的稳定系列是2.2(2.2.22) 遗留稳定版2.0/(2.0.64).2.3系列已经发布到了2.3.16-Beta.昨天官网的开发目录下已经出现了2.4.0的下载。按照惯例,相信很快2.4正式版就会发布(一般就是现有的包,不会有改动了)。尽管Nginx势头很猛,但相信使用Apache的仍然占大多数。 2.4.0分成两个包,把apr单独做成一个dep包。有兴趣的同学可以先尝试一下。按照惯例现有的包应该就是正式版本。

Changes with Apache 2.2.22

*) SECURITY: CVE-2011-3368 (cve.mitre.org)
reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [joe Orton]

*) SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file. [Stefan Fritsch, Greg Ames]

*) SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
[Joe Orton]

*) SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17. pr 52256.
[Rainer Canavan <rainer-apache 7val com>]

*) SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]

*) SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]

*) mod_proxy_ajp: Try to prevent a single long request from marking a worker
in error. [Jean-Frederic Clere]

*) config: Update the default mod_ssl configuration: Disable SSLv2, only
allow >= 128bit ciphers, add commented example for speed optimized cipher
list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]

*) core: Fix segfault in ap_send_interim_response(). PR 52315.
[Stefan Fritsch]

*) mod_log_config: Prevent segfault. PR 50861. [Torsten F锟絩tsch
<torsten.foertsch gmx.net>]

*) mod_win32: Invert logic for env var UTF-8 fixing.
Now we exclude a list of vars which we know for sure they dont hold UTF-8
chars; all other vars will be fixed. This has the benefit that now also
all vars from 3rd-party modules will be fixed. PR 13029 / 34985.
[Guenter Knauf]

*) core: Fix hook sorting for perl modules, a regression introduced in
2.2.21. PR: 45076. [Torsten Foertsch <torsten foertsch gmx net>]

*) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
A range of '0-' will now return 206 instead of 200. PR 51878.
[Jim Jagielski]

*) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
of "0"). [Rainer Jung]

*) mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung]

下载地址

  • http://httpd.apache.org/dev/dist/httpd-2.4.0.tar.bz2
  • http://httpd.apache.org/dev/dist/httpd-2.4.0-deps.tar.bz2

延伸阅读

评论