The Apache Software Foundation and the Apache HTTP Server Project have announced the release of version 2.3.8-alpha of the Apache HTTP Server (“Apache”).

This version of Apache is principally an alpha release to test new technology and features that are incompatible or too large for the stable 2.2.x branch.

This alpha release should not be presumed to be compatible with binaries built against any prior or future version.

This release is expected to be the last alpha release; subsequent releases will be beta releases as we move towards 2.4.0-GA.

Apache HTTP Server 2.3.8-alpha is available for download from:  http://httpd.apache.org/download.cgi

Apache 2.3 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase.

For an overview of new features introduced since 2.3 please see:  http://httpd.apache.org/docs/trunk/new_features_2_4.html

Please see the CHANGES_2.3 file, linked from the download page, for a full list of changes.

This release includes the Apache Portable Runtime (APR) version 1.4.2 and APR-Util version 1.3.9 in a separate -deps tarball.  The APR libraries must be upgraded for all features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API.  Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.3, and require minimal or no source code changes.

1.2.3.4 – - [20/Aug/2010:10:20:15 +0100] “GET /verify-AUP?aHR0cDovL3d3dy5sb2FuZmluZGVyLmNvLnVrL2NvbnRhY3QtdXM= HTTP/1.1″ 200 3752 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”

It is from a mis-configured proxy server from ProxySG – see http://techlabs.bluecoat.com/policy/ and nothing you can do about it.

/verify-Compliance_Page

/verify-AUP

/notified-Compliance_Page

/notified-AUP

/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164&STRMVER=4&CAPREQ=0

it is because someone has Microsoft Office installed, and the discussion bar turned on in Internet Explorer, which is querying your server to see whether it supports web discussions (which it probably doesn’t).

Options are:

ServerTokens Prod[uctOnly]
Server sends (e.g.):
Server: Apache

ServerTokens Major
Server sends (e.g.):
Server: Apache/2

ServerTokens Minor
Server sends (e.g.):
Server: Apache/2.0

ServerTokens Min[imal]
Server sends (e.g.):
Server: Apache/2.0.41

ServerTokens OS
Server sends (e.g.):
Server: Apache/2.0.41 (Unix)

ServerTokens Full (or not specified)
Server sends (e.g.):
Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.

After version 2.0.44, this directive also controls the information presented by the ServerSignature directive.

This is what you would get as the response headers from a server without the ServerTokens set:

Date: Thu, 19 Aug 2010 08:58:08 GMT
Server: Apache/2.2.8 (CentOS) DAV/2 PHP/5.2.10 mod_python/3.2.8
     Python/2.4.3 mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5
     mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.2.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate,
     post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 4896
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

and the same from a server with the ServerTokens set to Prod:

Date: Thu, 19 Aug 2010 08:58:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate,
     post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 4896
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

The Apache Software Foundation and the Apache HTTP Server Project have announced the release of version 2.3.6-alpha of the Apache HTTP Server (“Apache”).

This version of Apache is principally an alpha release to test new technology and features that are incompatible or too large for the stable 2.2.x branch. This alpha release should not be presumed to be compatible with binaries built against any prior or future version.

Apache HTTP Server 2.3.6-alpha is available for download from:  http://httpd.apache.org/download.cgi

Apache 2.3 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase.

For an overview of new features introduced since 2.3 please see:

http://httpd.apache.org/docs/trunk/new_features_2_4.html

Please see the CHANGES_2.3 file, linked from the download page, for a full list of changes.

This release includes the Apache Portable Runtime (APR) version 1.4.2 and APR-Util version 1.3.9 in a separate -deps tarball.  The APR libraries must be upgraded for all features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API.  Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.3, and require minimal or no source code changes.

Notably, this release was updated to reflect the OpenSSL Project’s release 0.9.8m of the openssl library, and addresses CVE-2009-3555
(cve.mitre.org), the TLS renegotiation prefix injection attack. This release further addresses the issues CVE-2010-0408, CVE-2010-0425 and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers respectively.

There will be no more full releases of Apache HTTP Server 1.3.

However, critical security updates may be made available from the following website: http://www.apache.org/dist/httpd/patches/

This version of Apache is is principally a bug and security fix release.

The following moderate security flaw has been addressed:

* CVE-2010-0010 (cve.mitre.org)

mod_proxy: Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.

Apache 1.3.42 is the final stable release of the Apache 1.3 family. We strongly recommend that users of all earlier versions, including 1.3 family releases, upgrade to to the current 2.2 version as soon as possible.

For information about how to upgrade, please see the documentation:  http://httpd.apache.org/docs/2.2/upgrading.html

Apache 1.3.42 is available for download from http://httpd.apache.org/download.cgi

Apache 1.3.42 Major changes

Security vulnerabilities

The main security vulnerabilities addressed in 1.3.42 are:

• SECURITY: CVE-2010-0010 (cve.mitre.org) mod_proxy: Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.

Bugfixes addressed in 1.3.42 are:

• Protect logresolve from mismanaged DNS records that return blank/null hostnames.

Apache HTTP Server 2.3.5-alpha is available for download from:  http://httpd.apache.org/download.cgi

Apache 2.3 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase.  For an overview of new features introduced since 2.3 please see:  http://httpd.apache.org/docs/trunk/new_features_2_4.html

Please see the CHANGES_2.3 file, linked from the download page, for a full list of changes.

This release includes the Apache Portable Runtime (APR) version 1.4.2 and APR-Util version 1.3.9 in a separate -deps tarball.  The APR libraries must be upgraded for all features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API.  Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.3, and require minimal or no source code changes.

Your httpd.conf file should look something like this:

#
# Don't give away too much information about all the subcomponents
# we are running.  Comment out this line if you don't mind remote sites
# finding out what major optional modules you are running
ServerTokens OS

Change it to look like this

#
# Don't give away too much information about all the subcomponents
# we are running.  Comment out this line if you don't mind remote sites
# finding out what major optional modules you are running
ServerTokens Prod

ServerTokens

This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

ServerTokens Prod[uctOnly]
Server sends (e.g.):
Server:       Apache

ServerTokens Min[imal]
Server sends (e.g.):
Server:       Apache/1.3.0

ServerTokens OS
Server sends (e.g.):
Server: Apache/1.3.0       (Unix)

ServerTokens Full (or not specified)
Server sends (e.g.):
Server: Apache/1.3.0       (Unix) PHP/3.0 MyMod/1.2

Notes

This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.

ServerTokens is only available in Apache 1.3 and later; the ProductOnly keyword is only available in versions later than 1.3.12