Apache HTTP Server 2.0.64 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.0.64 of the Apache HTTP Server ("Apache"). This version of Apache is a bug and security fix release, covering a number of issues addressed previously in stable released versions;

• CVE-2010-1452: mod_dav: Fix Handling of requests without a path segment.
• CVE-2009-1891: Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects.
• CVE-2009-3095: mod_proxy_ftp: sanity check authn credentials.
• CVE-2009-3094: mod_proxy_ftp: NULL pointer dereference on error paths.
• CVE-2009-3555: mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746.
  
  mod_ssl: A partial fix for the TLS renegotiation prefix injection attack for OpenSSL versions prior to 0.9.8l; reject any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later.
• CVE-2010-0434: Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body.
• CVE-2008-2364: mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage.
• CVE-2010-0425: mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers.
• CVE-2008-2939: mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL.

and includes security fixes of the APR and APR-util 0.9.19 dependencies;

• CVE-2010-1623: Fix a denial of service attack against apr_brigade_split_line().
• CVE-2009-3560, CVE-2009-3720: Fix two buffer over-read flaws in the bundled copy of expat which could cause applications to crash while parsing specially-crafted XML documents.
• CVE-2009-2412: Fix overflow in rmm, where size alignment was taking place.

Please see the CHANGES_2.0.64 file in this directory for a full list of changes for this version.

This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of the legacy Apache 2.0 available, and encourage users of all prior versions to upgrade to no less than this release. The Apache HTTP Project developers strongly encourages all users to migrate to Apache 2.2, as only limited and less frequent maintenance is performed on this legacy flavor.

This release includes the Apache Portable Runtime library suite release version 0.9.19, bundled with the tar and zip distributions. These libraries; libapr, libaprutil, and on Win32, libapriconv must all be updated to ensure binary compatibility and address many known platform bugs.

Apache HTTP Server 2.0.64 and the recommended 2.2 release are available for download from;

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. A condensed list, CHANGES_2.0.64 provides the complete list of changes since 2.0.63.