Apache Updates HTTP Web Server for Security and the Future

By Sean Kerner (Send Email)
Posted May 24, 2011


The Apache HTTP Server powers the majority of web servers around the world. As such, when there is a security flaw, it's critical to fix it as quickly as possible. Apache updates the world's most popular web server with a security update and a beta for the next generation of HTTP.

The Apache Software Foundation this week released Apache HTTP Server 2.2.19, fixing a security flaws in the open source web server. The 2.2.19 release was triggered by a flaw in the 2.2.18 release earlier this month which created new regressions after fixing other flaws.

A fix in the Apache Portable runtime for the 2.2.18 release, which is bundled with HTTP Server triggered a possible denial of service (DoS) issue.

"Httpd workers enter a hung state (100% cpu utilization) after updating to APR 1.4.4," Apache warned in its 2.2.19 release notes. "Upgrading to APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3 or prior with the 'IgnoreClient' option of the 'IndexOptions' directive will circumvent both issues."

The 2.2.19 release also provides a fix for a regression introduced in 2.2.18 for the ap_unescape_url_keep2f() function signature. That change in 2.2.18, led to binary compatibility issues, which have now been fixed in the new 2.2.19 release.

While Apache is patching its mainline production version HTTP Server, work is progressing on its next-generation web server as well. This week, Apache HTTP Server 2.3.12 beta was released, providing users with a glimpse into the future of Apache.

"Apache 2.3 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase," Apache noted in its release announcement. "This version of Apache is our second beta release to test new technology and features that are incompatible or too large for the stable 2.2.x branch."

The 2.3 development branch offers multiple new features including the ability specify KeepAliveTimeout in milliseconds. Log levels can now be specified on a per directory and per module basis and asynchronous read/write support has been improved.

Apache 2.3 also introduces a number of new modules including mod_ratelimit which enables server admin to specify a maximum connection speed for client bandwidth.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Follow ServerWatch on Twitter

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.