Apache 2.4.10 发布了,该版本修正一些安全漏洞,新特性有代理FGI和websocket增强,mod_proxy后端支持Unix Domain Socket,mod_lua和mod_ssl增强等。
修复的 Bug 包括:
CVE-2014-0117 mod_proxy: Fix crash in Connection header handling which allowed a denial of service attack against a reverse proxy with a threaded MPM.
CVE-2014-3523 Fix a memory consumption denial of service in the WinNT MPM (used in all Windows installations). Workaround: AcceptFilter {none|connect}
CVE-2014-0226 Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow.
CVE-2014-0118 mod_deflate: The DEFLATE input filter (inflates request bodies) now limits the length and compression ratio of inflated request bodies to avoid denial of sevice via highly compressed bodies. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst.
CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. By default, the client I/O timeout (Timeout directive) now applies to communication with scripts. The CGIDScriptTimeout directive can be used to set a different timeout for communication with scripts.
新特性:
Proxy FGI and websockets improvements
Proxy capability via handler
Finer control over scoping of RewriteRules
Unix Domain Socket (UDS) support for mod_proxy backends.
Support for larger shared memory sizes for mod_socache_shmcb
mod_lua and mod_ssl enhancements
Support named groups and backreferences within the LocationMatch, DirectoryMatch, FilesMatch and ProxyMatch directives.
项目主页:http://httpd.apache.org/
下载地址:http://httpd.apache.org/download.cgi
来自:开源中国社区
