Apache HTTP Server 2.4.28 发布了,这是一个包含重要安全更新和 Bug 修复的版本。
下载地址:http://httpd.apache.org/download.cgi
安全方面的问题修复描述:
SECURITY: CVE-2017-9798 (cve.mitre.org) Corrupted or freed memory access.or the RegisterHttpMethod directive must be given in the startup configuration (httpd.conf) to register non-standard HTTP methods before listing them in an .htaccess files.
完整的改进记录包括:
*) SECURITY: CVE-2017-9798 (cve.mitre.org) Corrupted or freed memory access.must now be used in the main configuration file (httpd.conf) to register HTTP methods before the .htaccess files. [Yann Ylavic] *) event: Avoid possible blocking in the listener thread when shutting down connections. PR 60956. [Yann Ylavic] *) mod_speling: Don't embed referer data in a link in error page. PR 38923 [Nick Kew] *) htdigest: prevent a buffer overflow when a string exceeds the allowed max length in a password file. [Luca Toscano, Hanno B枚ck] *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25). [Jim Jagielski] *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically. PR 61142. *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond), 's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski] *) mod_http2: Fix for stalling when more than 32KB are written to a suspended stream. [Stefan Eissing] *) build: allow configuration without APR sources. [Jacob Champion] *) mod_ssl, ab: Fix compatibility with LibreSSL. PR 61184. [Bernard Spil, Michael Schlenker, Yann Ylavic] *) core/log: Support use of optional "tag" in syslog entries. PR 60525. [Ben Rubson, Jim Jagielski] *) mod_proxy: Fix ProxyAddHeaders merging. [Joe Orton] *) core: Disallow multiple Listen on the same IP:port when listener buckets are configured (ListenCoresBucketsRatio > 0), consistently with the single bucket case (default), thus avoiding the leak of the corresponding socket descriptors on graceful restart. [Yann Ylavic] *) event: Avoid listener periodic wake ups by using the pollset wake-ability when available. PR 57399. [Yann Ylavic, Luca Toscano] *) mod_proxy_wstunnel: Fix detection of unresponded request which could have led to spurious HTTP 502 error messages sent on upgrade connections. PR 61283. [Yann Ylavic]
转自 http://www.oschina.net/news/89319/apache-http-server-2-4-28