Apache 1.3.20 Released Page 2

A carefully constructed URI could cause the server to segfault on Win32 and OS2, denying access to users until the error was cleared. This is resolved on both platforms, no server data vulnerability was identified for this denial of service exploit.

The general bug fixes:

  • Eliminate a potential segfault if an invalid floating point value is passed to the ap_snprintf() function, on platforms supporting isnan() and isinf().
  • Fix a possible segfault at startup in the detection of a default ServerName or IP string when no ServerName was specified.
  • Fixed mod_proxy to retain empty headers, as allowed by RFC2068.
  • Properly resolve the location of ndbm on Linux and some glibc2 builds, where ndbm.h is in the nonstandard db1/ subdir.

Win32 bug fixes:

  • Win32 now properly handles the SSI exec cmd tag. Due to argument parsing issues with spaces and slashes, cmd is interpreted as an executable file, not a long command line string.
  • Resolved a threading problem with WinNT/2K services, allowing modules such as mod_jserv and mod_perl to shut down cleanly.
  • Resolved stdin and stdout pipes for the parent Win32 service process, solving bugs such as "dup2(stdin) failed" when trying to use piped logs.

Netware specific bug fixes:

  • Netware initial screen allows the -s parameter to switch to the system console screen, warning messages during startup are now displayed.
  • Netware added '.' and '..' to the directory listing so mod_autoindex will now display the parent directory.
  • NetWare now shuts down cleanly in error conditions, such as a failure while reading the httpd.conf file.

The main new features include:

  • Enhanced rotatelogs to allow a UTC offset to be specified, and the format logfile names with human-readable date/time stamps.
  • Added the NOESCAPE (NS) flag to RewriteRule, to disable *all* normal URI escaping. Note incautious use can give unexpected results or introduce security risks.
  • Added the '\' character to RewriteRule to allow escaping of special characters. Allows embedding of both the '$' and '%' characters in the results, so 'foo$1' translates to 'foo' rather than 'foo\'.
  • Added the -V flag to suexec, to display the compile-time settings with which it was built. (Only valid for root or the HTTPD_USER username.)
  • Introduced EBCDIC conversion configuration options, controlling the conversion based on MIME type or file suffix.
  • Support for the Cygwin 1.x platform (a POSIX emulation layer for Win32 systems, see http://www.cygwin.com). Note this is an entirely different implementation than the native calls in the win32 port.
  • Support for building modules with apxs under Win32. cygwin builders must use a cygwin build of perl to avoid MSVC handling.

This article was originally published on May 21, 2001
Page 2 of 2

Thanks for your registration, follow us on our social networks to keep up-to-date