Download Apache 1.3.33

The day before yesterday, the developers of the Apache HTTP Server Project released version 1.3.33 of this well-known web server. In addition to the necessary bug fixes, this version also contains two security vulnerabilities. The changelog announces the following changes:

Security vulnerabilities
The main security vulnerabilities addressed in 1.3.33 are:

• CAN-2004-0940 (cve.mitre.org)
  Fix potential buffer overflow with escaped characters in SSI tag string.
• CAN-2004-0492 (cve.mitre.org)
  Reject responses from a remote server if sent an invalid (negative) Content-Length.

New features
New features that relate to specific platforms:

• Win32: Improve error reporting after a failed attempt to spawn a piped log process or rewrite map process.

New features that relate to specific platforms:

• Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT. It controls how UseCanonicalName Off determines the port value if the client doesn’t provide one in the Host header. If defined during compilation, UseCanonicalName Off will use the physical port number to generate the canonical name. If not defined, it tries the current Port value followed by the default port for the current scheme.

Bug fixed
The following bugs were found in Apache 1.3.31 (or earlier) and have been fixed in Apache 1.3.33:

mod_rewrite: Fix query string handling for proxy URLs. PR 14518.
• mod_rewrite: Fix 0 bytes write into random memory position. PR 31036.
• mod_digest: Fix nonce string calculation since 1.3.31 which would force re-authentication for every connection if AuthDigestRealmSeed was not configured. PR 30920.
• Fix trivial bug in mod_log_forensic that caused the child to seg fault when certain invalid requests were fired at it with forensic logging is enabled. PR 29313.
• No longer breaks mod_dav, frontpage and others. Repair a patch in 1.3.31 which prevented discarding the request body for requests that will be keptalive but are not currently keptalive. PR 29237.