* SECURITY: CVE-2011-1928 (cve.mitre.org)

A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419

introduced a new vulnerability.  httpd workers enter a hung state

(100% cpu utilization) after updating to APR 1.4.4.  Upgrading to

APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3

or prior with the ‘IgnoreClient’ option of the ‘IndexOptions’

directive will circumvent both issues.

* httpd 2.2.18: The ap_unescape_url_keep2f() function signature was

inadvertantly changed. This breaks binary compatibility of a number

of third-party modules.  This httpd-2.2.19 package restores the

function signature provided by 2.2.17 and prior.

They consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade.

The Apache Software Foundation and the Apache HTTP Server Project have announced the release of version 2.3.11-beta of the Apache HTTP Server (“Apache”).

This version of Apache is the initial Beta release of Apache httpd 2.4 to test new technology and features that are incompatible or too large for the stable 2.2.x branch. This Beta release should not be presumed to be compatible with binaries built against any prior or future version, although, as a Beta, the API is in a semi-frozen state.

Apache 2.3 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase.

This release includes the Apache Portable Runtime (APR) version 1.4.2 and APR-Util version 1.3.10 in a separate -deps tarball.  The APR libraries must be upgraded for all features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API.  Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.3, and require minimal or no source code changes.

Based on user and developer feedback, the next release of the next-gen version of Apache httpd will likely be the first beta. The hope and expectation is to push for a quick beta cycle and a 2.4.0 GA release around the beginning of 2011.

libapreq2-2.13 is released under the Apache License version 2.0.  It is now available through the ASF mirrors  http://httpd.apache.org/apreq/download.cgi

and has entered the CPAN as  file: $CPAN/authors/id/I/IS/ISAAC/libapreq2-2.13.tar.gz

size: 891320 bytes

md5: c11fb0861aa84dcc6cd0f0798b045eee

libapreq2 is an APR-based shared library used for parsing HTTP cookies, query-strings and POST data.  This package provides

1) version 2.8.0 of the libapreq2 library,

2) mod_apreq2, a filter module necessary for using libapreq2 within the Apache HTTP Server,

3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload perl modules for using libapreq2 with mod_perl2.

A fix is included for CVE-2010-3872, a potential vulnerability which can affect sites with untrusted FastCGI applications.

Additionally, default configuration settings for request body handling have been changed to prevent large system resource use.  Administrators of all versions of mod_fcgid are strongly cautioned to ensure that

FcgidMaxRequestLen is configured appropriately.

mod_fcgid is available for download from:  http://httpd.apache.org/download.cgi

A full list of changes in this release follows:

*) SECURITY: CVE-2010-3872 (cve.mitre.org) Fix possible stack buffer overwrite.  Diagnosed by the reporter. PR 49406.  [Edgar Frank <ef-lists email.de>]

*) Change the default for FcgidMaxRequestLen from 1GB to 128K. Administrators should change this to an appropriate value based on site requirements.  [Jeff Trawick]

*) Allow FastCGI apps more time to exit at shutdown before being forcefully killed.  [Jeff Trawick]

*) Correct a problem that resulted in FcgidMaxProcesses being ignored in some situations.  PR 48981.  [<rkosolapov gmail.com>]

*) Fix the search for processes with the proper vhost config when ServerName isn’t set in every vhost or a module updates

r->server->server_hostname dynamically (e.g., mod_vhost_cdb) or a module updates r->server dynamically (e.g., mod_vhost_ldap).

[Jeff Trawick]

*) FcgidPassHeader now maps header names to environment variable names in the usual manner: The header name is converted to upper case and

is prefixed with HTTP_.  An additional environment variable is created with the legacy name.  PR 48964.  [Jeff Trawick]

*) Allow processes to be reused within multiple phases of a request by releasing them into the free list as soon as possible.

[Chris Darroch]

*) Fix lookup of process command lines when using FcgidWrapper or access control directives, including within .htaccess files.

[Chris Darroch]

*) Resolve a regression in 2.3.5 with httpd 2.0.x on some Unix platforms; ownership of mutex files was incorrect, resulting in a startup failure.

PR 48651.  [Jeff Trawick, <pservit gmail.com>]

*) Return 500 instead of segfaulting when the application returns no output. [Tatsuki Sugiura <sugi nemui.org>, Jeff Trawick]

*) In FCGI_AUTHORIZER role, avoid spawning a new process for every different HTTP request.  [Chris Darroch]

from the download page.  The Apache HTTP Project developers strongly encourage all users to migrate to Apache 2.2, as only limited and less frequent maintenance is provided for legacy versions.

Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase.  For an overview of new features introduced since 2.0 please see:

http://httpd.apache.org/docs/2.2/new_features_2_2.html

Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes.  A condensed list, CHANGES_2.2.17 provides the complete list of changes since 2.2.16.  A summary of all of the security vulnerabilities addressed in this and earlier releases is available:

http://httpd.apache.org/security/vulnerabilities_22.html

This release includes the Apache Portable Runtime (APR) version 1.4.2 and APR Utility Library (APR-util) version 1.3.10, bundled with the tar and zip distributions.  The APR libraries libapr and libaprutil (and on Win32,  libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs.

This release builds on and extends the Apache 2.0 API.  Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, and require minimal or no source code changes.

When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe.

* SECURITY: CVE-2010-1623 (cve.mitre.org)

Fix a denial of service attack against apr_brigade_split_line().

* SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)

Fix two buffer over-read flaws in the bundled copy of expat which could cause httpd to crash while parsing specially-crafted XML documents.

It is considered to be the best version of Apache available, and they encourage users of all prior versions to upgrade.

Apache 2.2 offers numerous enhancements, improvements, and performance boosts over the 2.0 codebase.  For an overview of new features introduced since 2.0 please see:

http://httpd.apache.org/docs/2.2/new_features_2_2.html

Please see the CHANGES_2.2 file, linked from the download page, for a full list of changes.  A condensed list, CHANGES_2.2.17 provides the complete list of changes since 2.2.16.  A summary of all of the security

vulnerabilities addressed in this and earlier releases is available:

http://httpd.apache.org/security/vulnerabilities_22.html

This release includes the Apache Portable Runtime (APR) version 1.4.2 and APR Utility Library (APR-util) version 1.3.10, bundled with the tar and zip distributions.  The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs.

This release builds on and extends the Apache 2.0 API.  Modules written for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, and require minimal or no source code changes.

When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be

using (and the libraries they depend on) are thread-safe.

1.2.3.4 – - [20/Aug/2010:10:20:15 +0100] “GET /verify-AUP?aHR0cDovL3d3dy5sb2FuZmluZGVyLmNvLnVrL2NvbnRhY3QtdXM= HTTP/1.1″ 200 3752 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”

It is from a mis-configured proxy server from ProxySG – see http://techlabs.bluecoat.com/policy/ and nothing you can do about it.

/verify-Compliance_Page

/verify-AUP

/notified-Compliance_Page

/notified-AUP

/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=8164&STRMVER=4&CAPREQ=0

it is because someone has Microsoft Office installed, and the discussion bar turned on in Internet Explorer, which is querying your server to see whether it supports web discussions (which it probably doesn’t).

Options are:

ServerTokens Prod[uctOnly]
Server sends (e.g.):
Server: Apache

ServerTokens Major
Server sends (e.g.):
Server: Apache/2

ServerTokens Minor
Server sends (e.g.):
Server: Apache/2.0

ServerTokens Min[imal]
Server sends (e.g.):
Server: Apache/2.0.41

ServerTokens OS
Server sends (e.g.):
Server: Apache/2.0.41 (Unix)

ServerTokens Full (or not specified)
Server sends (e.g.):
Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.

After version 2.0.44, this directive also controls the information presented by the ServerSignature directive.

This is what you would get as the response headers from a server without the ServerTokens set:

Date: Thu, 19 Aug 2010 08:58:08 GMT
Server: Apache/2.2.8 (CentOS) DAV/2 PHP/5.2.10 mod_python/3.2.8
     Python/2.4.3 mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5
     mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.2.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate,
     post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 4896
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

and the same from a server with the ServerTokens set to Prod:

Date: Thu, 19 Aug 2010 08:58:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate,
     post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 4896
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8