: Log in!


ウェブ 検索
トップ  >  Linux14歩  >  2014-09-06 httpdのupdate
20140906 httpd-2.2.29にupdateしました


Changes with Apache 2.2.29

*) Corrected docs/manual pages for new MergeTrailers directive and other
   out of date documentation. [William Rowe]

Changes with Apache 2.2.28

*) SECURITY: CVE-2014-0118 (cve.mitre.org)
   mod_deflate: The DEFLATE input filter (inflates request bodies) now
   limits the length and compression ratio of inflated request bodies to avoid
   denial of service via highly compressed bodies.  See directives
   DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
   and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]

*) SECURITY: CVE-2014-0231 (cve.mitre.org)
   mod_cgid: Fix a denial of service against CGI scripts that do
   not consume stdin that could lead to lingering HTTPD child processes
   filling up the scoreboard and eventually hanging the server.  By
   default, the client I/O timeout (Timeout directive) now applies to
   communication with scripts.  The CGIDScriptTimeout directive can be
   used to set a different timeout for communication with scripts.
   [Rainer Jung, Eric Covener, Yann Ylavic]

*) SECURITY: CVE-2014-0226 (cve.mitre.org)
   Fix a race condition in scoreboard handling, which could lead to
   a heap buffer overflow.  [Joe Orton, Eric Covener, Jeff Trawick]
*) SECURITY: CVE-2013-5704 (cve.mitre.org)
   core: HTTP trailers could be used to replace HTTP headers
   late during request processing, potentially undoing or
   otherwise confusing modules that examined or modified
   request headers earlier.  Adds "MergeTrailers" directive to restore
   legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]

*) core: Detect incomplete request and response bodies, log an error and
   forward it to the underlying filters. PR 55475.  [Yann Ylavic]

*) mod_deflate: Handle Zlib header and validation bytes received in multiple
   chunks. PR 46146. [Yann Ylavic]

*) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
   differs. PR 55782.  [Yann Ylavic]
*) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
   [Lukas Bezdicka ]

*) mod_dav: Fix improper encoding in PROPFIND responses.  PR 56480.
   [Ben Reser]

*) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
   resumed by TLS session resumption (RFC 5077). [Rainer Jung]

*) mod_proxy_ajp: Forward local IP address as a custom request attribute
   like we already do for the remote port. [Rainer Jung]

*) mod_deflate: Don't fail when flushing inflated data to the user-agent
   and that coincides with the end of stream ("Zlib error flushing inflate
   buffer"). PR 56196. [Christoph Fausak ]

*) mod_cache, mod_disk_cache: With CacheLock enabled, responses with a Vary 
   header might not get the benefit of the thundering herd protection due to 
   an incorrect internal cache key.  PR 50317. 
   [Ruediger Pluem, Jan Kaluza, Yann Ylavic]

*) mod_rewrite: Support session cookies with the CO= flag when later
   parameters are used.  The doc for this implied the feature had been
   backported for quite some time.  PR56014 [Eric Covener]

*) mod_cache: Don't remove stale cache entries that cannot be conditionally
   revalidated. This prevents the thundering herd protection from serving
   stale responses during a revalidation. PR 50317.
   [Eric Covener, Jan Kaluza,  Ruediger Pluem]

*) core: Increase TCP_DEFER_ACCEPT socket option to from 1 to 30 seconds. 
   PR 41270. [Dean Gaudet ]
投票数:36 平均点:5.56
2014-08-24 phpのupdate
2014-09-10 lynisのupdate