Download Apache 1.3.31
The Apache HTTP Server Project recently released a new version of their Apache application. The release falls in the 1.3.x series and contains a number of bug and security fixes. It has been decided to skip one version number and that is why 1.3.31 has been given as the version number. The release notes look like this:
The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 1.3.31 of the Apache HTTP Server (“Apache”). This Announcement notes the significant changes in 1.3.31 as compared to 1.3.29 (1.3.30 was not released).
This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of this document. A full listing of changes can be found in the CHANGES file. Of particular note is that 1.3.31 addresses and fixes 4 potential security issue:
- CAN-2003-0987 (cve.mitre.org)
In mod_digest, verify whether the nonce returned in the client response is one we issued ourselves. This problem does not affect mod_auth_digest. - CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the error log. - CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. - CAN-2003-0993 (cve.mitre.org)
Fix parsing of Allow/Deny rules using IP addresses without a netmask; issue is only known to affect big-endian 64-bit platforms
New features that relate to specific platforms:
- Linux 2.4+: If Apache is started as root and you codeCoreDumpDirectory, coredumps are enabled via the prctl() syscall.
- Add mod_whatkilledus and mod_backtrace (experimental) for reporting diagnostic information after a child process crash.
- Add fatal exception hook for running diagnostic code after a crash.
- Forensic logging module added (mod_log_forensic)
- ‘%X’ is now accepted as an alias for ‘%c’ in the LogFormat directive. This allows you to configure logging to still log the connection status even with mod_ssl
The following bugs were found in Apache 1.3.29 (or earlier) and have been fixed in Apache 1.3.31:
- Fix memory corruption problem with ap_custom_response() function. The core per-dir config would later point to request pool data that would be reused for different purposes on different requests.
- mod_usertrack no longer inspects the Cookie2 header for the cookie name. It also no longer overwrites other cookies.
- Fix bug causing core dump when using CookieTracking without specifying a CookieName directly.
- UseCanonicalName off was ignoring the client provided port information.
[break]The following downloads are ready:
Unix source: tar.gz † tar.Z
Win32 binary
Version number | 1.3.31 |
Operating systems | Windows 9x, Windows NT, Windows 2000, Linux, Windows XP, Windows Server 2003 |
Website | Apache |
Download | |
License type | GPL |