新版本主要是做了安全上的一些改进, 修改了一些潜在的安全威胁.
Apache提到主要有以下几点:
CAN-2005-2088 (cve.mitre.org)
core: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length.
proxy_http: Correctly handle the Transfer-Encoding and Content-Length request headers. Discard the request Content-Length whenever chunked T-E is used, always passing one of either C-L or T-E chunked whenever the request includes a request body.
Unassigned
proxy_http: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection.
CAN-2005-2700 (cve.mitre.org)
mod_ssl: Fix a security issue where "SSLVerifyClient" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the vhost configuration.
CAN-2005-2491 (cve.mitre.org)
pcre: Fix integer overflows in PCRE in quantifier parsing which could be triggered by a local user through use of a carefully crafted regex in an .htaccess file.
CAN-2005-2728 (cve.mitre.org)
Fix cases where the byterange filter would buffer responses into memory.
CAN-2005-1268 (cve.mitre.org)
mod_ssl: Fix off-by-one overflow whilst printing CRL information at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL.
下载最新版本:
http://httpd.apache.org/download.cgi
标签: