Cambios Apache 2.2.22
Páginas: 33 (8046 palabras)
Publicado: 10 de agosto de 2012
-*- coding: utf-8 -*-
Changes with Apache 2.2.22
*) SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [Joe Orton]
*) SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when themod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file. [Stefan Fritsch, Greg Ames]
*) SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
[JoeOrton]
*) SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17. PR 52256.
[Rainer Canavan ]
*) SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which couldallow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
*) mod_proxy_ajp: Try to prevent a singlelong request from marking a worker
in error. [Jean-Frederic Clere]
*) config: Update the default mod_ssl configuration: Disable SSLv2, only
allow >= 128bit ciphers, add commented example for speed optimized cipher
list, limit MSIE workaround to MSIE process->pool, which
isn't destroyed by exiting child processes in most multi-process MPMs.
PR 39985. [Chris Darroch,Nick Kew]
*) mod_dbd: Handle error conditions in dbd_construct() properly.
Simplify ap_dbd_open() and use correct arguments to apr_dbd_error()
when non-threaded. Register correct cleanup data in non-threaded
ap_dbd_acquire() and ap_dbd_cacquire(). Clean up configuration data
and merge function. Use ap_log_error() wherever possible.
[Chris Darroch, Nick Kew]*) mod_dbd: Stash DBD connections in request_config of initial request
only, or else sub-requests and internal redirections may cause
entire DBD pool to be stashed in a single HTTP request. [Chris Darroch]
*) main core: Emit errors during the initial apr_app_initialize()
or apr_pool_create() (when apr-based error reporting is not ready).
[William Rowe, JeffTrawick]
*) log core: fix the new piped logger case where we couldn't connect
the replacement stderr logger's stderr to the NULL stdout stream.
Continue in this case, since the previous alternative of no error
logging at all (/dev/null) is far worse. [William Rowe]
*) mpm_winnt: Prevent the parent-child pipe from leaking into other
spawned processes, and ensure we havea /Device/null handle for
stdout when running as-a-service. [William Rowe]
*) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
improper merging of the cache lock in vhost config
PR 43164 [Eric Covener]
*) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk]
*) mod_deflate: fix protocol handling in deflate input filter
PR 23287 [Nick Kew]*) mime.types: add Registered Javascript/ECMAScript MIME types (RFC4329)
PR 40299 [Dave Hodder ]
*) mod_filter: fix integer comparisons in dispatch rules
PR 41835 [Nick Kew]
*) mod_filter: fix merging of ! and = in FilterChain
PR 42186 [Issac Goldstand ]
*) mod_deflate: don't try to process metadata buckets as data. what should
have been a 413 error...
Changes with Apache 2.2.22
*) SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [Joe Orton]
*) SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when themod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file. [Stefan Fritsch, Greg Ames]
*) SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
[JoeOrton]
*) SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17. PR 52256.
[Rainer Canavan ]
*) SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which couldallow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
*) mod_proxy_ajp: Try to prevent a singlelong request from marking a worker
in error. [Jean-Frederic Clere]
*) config: Update the default mod_ssl configuration: Disable SSLv2, only
allow >= 128bit ciphers, add commented example for speed optimized cipher
list, limit MSIE workaround to MSIE process->pool, which
isn't destroyed by exiting child processes in most multi-process MPMs.
PR 39985. [Chris Darroch,Nick Kew]
*) mod_dbd: Handle error conditions in dbd_construct() properly.
Simplify ap_dbd_open() and use correct arguments to apr_dbd_error()
when non-threaded. Register correct cleanup data in non-threaded
ap_dbd_acquire() and ap_dbd_cacquire(). Clean up configuration data
and merge function. Use ap_log_error() wherever possible.
[Chris Darroch, Nick Kew]*) mod_dbd: Stash DBD connections in request_config of initial request
only, or else sub-requests and internal redirections may cause
entire DBD pool to be stashed in a single HTTP request. [Chris Darroch]
*) main core: Emit errors during the initial apr_app_initialize()
or apr_pool_create() (when apr-based error reporting is not ready).
[William Rowe, JeffTrawick]
*) log core: fix the new piped logger case where we couldn't connect
the replacement stderr logger's stderr to the NULL stdout stream.
Continue in this case, since the previous alternative of no error
logging at all (/dev/null) is far worse. [William Rowe]
*) mpm_winnt: Prevent the parent-child pipe from leaking into other
spawned processes, and ensure we havea /Device/null handle for
stdout when running as-a-service. [William Rowe]
*) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
improper merging of the cache lock in vhost config
PR 43164 [Eric Covener]
*) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk]
*) mod_deflate: fix protocol handling in deflate input filter
PR 23287 [Nick Kew]*) mime.types: add Registered Javascript/ECMAScript MIME types (RFC4329)
PR 40299 [Dave Hodder ]
*) mod_filter: fix integer comparisons in dispatch rules
PR 41835 [Nick Kew]
*) mod_filter: fix merging of ! and = in FilterChain
PR 42186 [Issac Goldstand ]
*) mod_deflate: don't try to process metadata buckets as data. what should
have been a 413 error...
Leer documento completo
Regístrate para leer el documento completo.