Download Apache 1.3.35, 2.0.58 and 2.2.2

The Apache HTTP Server Project development team has released a new version of their HTTP server software in the 1.3, 2.0 and 2.2 series. This web server is used on many platforms and can be provided with all kinds of functionalities with the help of modules. For more information about the changes, please refer to the separate release announcements 1.3.35, 2.0.58 and 2.2.2. Below we have listed the changelogs of the three versions for your convenience:

Changes with Apache 1.3.35

• SECURITY: CVE-2005-3352 (cve.mitre.org) mod_imap: Escape untrusted referer header before outputting in HTML to avoid potential cross-site scripting. Change also made to ap_escape_html so we escape quotes. Reported by JPCERT.
• core: Allow usage of the “Include” configuration directive within previously “Include”d files.
• HTML escape the Expect error message. Not classified as security as an attacker has no way to influence the Expect header a victim will send to a target site. Reported by Thiago Zaninotti .
• mod_cgi: Remove block on OPTIONS method so that scripts can respond to OPTIONS directly rather than via server default.

Changes with Apache 2.0.58 since 2.0.55

• SECURITY: CVE-2005-3357 (cve.mitre.org) mod_ssl: Fix a possible crash during access control checks if a non-SSL request is processed for an SSL vhost (such as the “HTTP request received on SSL port” error message when an 400 ErrorDocument is configured, or if using “SSLEngine optional”). PR 37791.
• SECURITY: CVE-2005-3352 (cve.mitre.org) mod_imap: Escape untrusted referer header before outputting in HTML to avoid potential cross-site scripting. Change also made to ap_escape_html so we escape quotes. Reported by JPCERT.
• Legal: Restored original years in copyright notices.
• mod_cgid: run the get_suexec_identity hook within the request-handler instead of within cgid. PR 36410.
• core: Prevent read of unitialized memory in ap_rgetline_core. PR 39282.
• mod_proxy: Report the proxy server name correctly in the “Via:” header, when UseCanonicalName is Off. PR 11971.
• mod_isapi: Various trivial code-fixes to permit mod_isapi to load and run on Unix.
• HTML escape the Expect error message. Not classified as security as an attacker has no way to influence the Expect header a victim will send to a target site. Reported by Thiago Zaninotti .
• Add APR/APR-Util Compiled and Runtime Version numbers to the output of ‘httpd -V’.
• Ensure that the proper status line is written to the client, fixing incorrect status lines caused by filters which modify r->status without resetting r->status_line, such as the built-in byterange filter.
• Default handler: Don’t return output filter apr_status_t values. PR 31759.
• mod_speling: Stop crashing with certain non-file requests.
• keep the Content-Length header for a HEAD with no response body. PR 18757
• Modify April[util] .h detection to avoid breakage on VPATH builds using Solaris make (amoung others) and avoid breakage in ./buildconf when srclib/apr[-util] are symlinks rather than directories proper.
• Avoid server-driven negotiation when a CGI script has emitted an explicit “Status:” header. PR 38070.
• mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o format is used. PR 27787.
• mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264.
• mod_cache: Correctly handle responses with a 301 status. PR 37347.
• mod_proxy_http: Prevent data corruption of POST request bodies when client accesses proxied resources with SSL. PR 37145.
• Eliminated the NET_TIME filter, restructuring the timeout logic. This provides a working mod_echo on all platforms, and ensures any custom protocol module is at least given an initial timeout value based on the context’s Timeout directive.
• mod_ssl: Correct issue where mod_ssl does not pick up the ssl-unclean-shutdown setting when configured. PR 34452.
• Document the ReceiveBufferSize change done in r157583.
• mod_deflate: Merge the Vary header, instead of Setting it. Fixes applications that send the Vary Header themselves. PR 37559.
• mod_dav: Fix a null pointer dereference in an error code path during the handling of MKCOL.
• mod_mime_magic: Handle CRLF-format magic files so that it works with the default installation on Windows.
• Write message to error log if AuthGroupFile cannot be opened. PR 37566.
• Add ReceiveBufferSize directive to control the TCP receive buffer.
• mod_cache: Fix ‘Vary: *’ behavior to be RFC compliant. PR 16125.
• Remove the base href tag from proxy_ftp, as it breaks relative links for clients not using an Authorization header.
• http_request.c: Add missing va_end call.
• Add httxt2dbm to support/ for creating RewriteMap DBM Files.
• support/check_forensic: Fix temp file usage
• Chunk filter: Fix chunk filter to create correct chunks in the case that a flush bucket is surrounded by data buckets.
• mod_cgi(d): Remove block on OPTIONS method so that scripts can respond to OPTIONS directly rather than via server default.
• Added new module mod_version, which provides version dependent configuration containers.
• Add core version query function (ap_get_server_revision) and accompanying ap_version_t structure (minor MMN bump).

Changes with Apache 2.2.2

• mod_deflate: work correctly in an internal redirect
• mod_proxy_balancer: Initialize members of a balancer correctly. PR 38227.
• mod_proxy: Do not release connections from connection pool twice. PR 38793.
• core: Prevent reading uninitialized memory while reading a line of protocol input. PR 39282.
• mod_dbd: Update defaults, improve error reporting.
• mod_dbd: Create own pool and mutex to avoid problem use of process pool in request processing.
• HTML escape the Expect error message. Not classified as security as an attacker has no way to influence the Expect header a victim will send to a target site. Reported by Thiago Zaninotti .
• htdbm: Fix crash processing -d option in 64-bit mode on HP-UX.
• htdbm: Warn the user when adding a plaintext password on a platform where it wouldn’t work with the server (ie, anywhere that has crypt()).
• mod_proxy: don’t reuse a connection that may be to the wrong backend PR 39253
• Default handler: Don’t return output filter apr_status_t values. PR 31759.

[break]