[ANNOUNCEMENT] Apache HTTP Server 1.3.34 Released

Apache HTTP Server 1.3.34 Released

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 1.3.34 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
in 1.3.34 as compared to 1.3.33. This Announcement1.3 document may
also be available in multiple languages at:

http://www.apache.org/dist/httpd/

This version of Apache is principally a bug and security fix release.
A partial summary of the bug fixes is given at the end of this
document.
A full listing of changes can be found in the CHANGES file. Of
particular note is that 1.3.34 addresses and fixes 2 potential
security issues:

o If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some
HTTP Request Splitting/Spoofing attacks.

o Added TraceEnable [on|off|extended] per-server directive to alter
the behavior of the TRACE method.

We consider Apache 1.3.34 to be the best version of Apache 1.3
available
and we strongly recommend that users of older versions, especially of
the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
releases will be made in the 1.2.x family.

Apache 1.3.34 is available for download from:

http://httpd.apache.org/download.cgi

This service utilizes the network of mirrors listed at:

http://www.apache.org/mirrors/

Please consult the CHANGES_1.3 file for a full list of changes.

As of Apache 1.3.12 binary distributions contain all standard Apache
modules as shared objects (if supported by the platform) and include
full source code. Installation is easily done by executing the
included install script. See the README.bindist and INSTALL.bindist
files for a complete explanation. Please note that the binary
distributions are only provided for your convenience and current
distributions for specific platforms are not always available. Win32
binary distributions are based on the Microsoft Installer (.MSI)
technology. While development continues to make this installation
method
more robust, questions should be directed to the
news:comp.infosystems.www.servers.ms-windows newsgroup.

For an overview of new features introduced after 1.2 please see

http://httpd.apache.org/docs/new_features_1_3.html

In general, Apache 1.3 offers several substantial improvements over
version 1.2, including better performance, reliability and a wider
range of supported platforms, including Windows NT and 2000 (which
fall under the "Win32" label), OS2, Netware, and TPF threaded
platforms.

Apache is the most popular web server in the known universe; over half
of the servers on the Internet are running Apache or one of its
variants.

IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS
variants. While the ports to non-Unix platforms (such as Win32,
Netware
or OS2) are of an acceptable quality, Apache 1.3 is not optimized for
these platforms. Security, stability, or performance issues on these
non-Unix ports do not generally apply to the Unix version, due to
software's Unix origin.

Apache 2.0 has been structured for multiple operating systems from its
inception, by introducing the Apache Portability Library and MPM
modules.
Users on Unix and non-Unix platforms are strongly encouraged to move up
to
Apache 2.0 for better performance, stability and security on their
platforms. We consider Apache 2.0.55 to be the best available version
at
the time of this release. We offer Apache 1.3.34 as the best legacy
version of Apache 1.3 available, and strongly recommend that users who
require compatibility with existing Apache 1.3 installations should
upgrade as soon as possible. Users should first consider upgrading to
the current release of Apache 2 instead.

Apache 1.3.34 Major changes

Security vulnerabilities

* SECURITY: core: If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some
HTTP Request Splitting/Spoofing attacks. This has no impact on
mod_proxy_http, yet affects any module which supports chunked
encoding yet fails to prefer T-E: chunked over the Content-Length
purported value.

* Added TraceEnable [on|off|extended] per-server directive to alter
the behavior of the TRACE method. This addresses a flaw in proxy
conformance to RFC 2616 - previously the proxy server would accept
a TRACE request body although the RFC prohibited it. The default
remains 'TraceEnable on'.

New features

New features that relate to specific platforms:

* None

New features that relate to all platforms:

* None

Bugs fixed

The following noteworthy bugs were found in Apache 1.3.33 (or earlier)
and have been fixed in Apache 1.3.34:

* hsregex: fix potential core dumping on 64 bit machines, such as
AMD64. PR 31858.
* mod_digest: Fix another nonce string calculation issue.

jim@jaguNET.com wrote:
> Apache HTTP Server 1.3.34 Released
> ....

> Apache 1.3.34 is available for download from:
>
> http://httpd.apache.org/download.cgi
>
> This service utilizes the network of mirrors listed at:
>
> http://www.apache.org/mirrors/
>

Should I be able to download the Win32 binary from the download link?
Every time I try clicking on link on that page of:
"Win32 Binary (Self extracting): apache_1.3.34-win32-x86-no_src.exe"
I get the requested url was not found on server. Does not matter what
mirror I use. Looking under available binaries I only see 1.3.33
versions available.

Regards, Bryce.

bryce@hrnz.co.nz wrote:

> Should I be able to download the Win32 binary from the download link?
> Every time I try clicking on link on that page of:
> "Win32 Binary (Self extracting): apache_1.3.34-win32-x86-no_src.exe"
> I get the requested url was not found on server. Does not matter what
> mirror I use. Looking under available binaries I only see 1.3.33
> versions available.
>
> Regards, Bryce.

It's November 5, and I still cannot find 1.3.34 on any of the mirrors.
I also only see 1.3.33 versions available.

Does anyone know what's going on?

Steve

steve@webcommons.biz wrote:
> bryce@hrnz.co.nz wrote:

(snipped)

>>Should I be able to download the Win32 binary from the download link?

> It's November 5, and I still cannot find 1.3.34 on any of the mirrors.
> I also only see 1.3.33 versions available.

> Does anyone know what's going on?

Typical Apache brainfart. This happens frequently.

My experience is Apache porters are quite careless about
testing and verification; they assume themselves right.

Unless you are using a newer NT5 system, you do not want
any version of 1.3.x from 1.3.28 forward. Apache introduced
a very slow fatal bug in 1.3.28 version. Although reported
many times, this creeping bug has never been repaired.

Maybe this bug is fixed in 1.3.34 but who knows? So far,
none have been able to find a Win32 port of this version.

Version 1.3.27 was the last stable version released, and
it is very decent software exhibiting only a few bugs.

You can report this missing file, doubtful the file will
be made available anytime soon; support is an urban myth.

Apache is the best server software, but quality is degrading
because of a lax attitude amongst Apache insiders. Would not
be a surprise if Microsoft continues to capture a larger
market share because of the declining quality of Apache.

Personally, I only use Apache, after fixing bugs and errors.

Purl Gurl

Purl Gurl wrote:
> steve@webcommons.biz wrote:
>> bryce@hrnz.co.nz wrote:

(snipped)

>> It's November 5, and I still cannot find 1.3.34 on any of the mirrors.
>> I also only see 1.3.33 versions available.

> My experience is Apache porters are quite careless about
> testing and verification; they assume themselves right.

This is a classic example.

Visit the government-grants.org mirror site.

http://government-grants.org/mirrors...inaries/win32/

At page top, find this:

***

Important Notices
Download from your nearest mirror site!
Windows 95 Apache Users Read This First
Windows XP Apache Users Read This First

ZoneAlarm (or other firewall) Users Read This First
Obtain the current stable release

Older releases
MSI Binary Distribution Packages
Binary Diagnostic Symbol Downloads
Troubleshooting MSI Installation Problems

***

You will discover none of those links function. This is rather
humorous example of Apache insiders failing to test and verify,
even simple hypertext markup.

Purl Gurl

* tested with Netscape 7.x and MSIE 6.x versions

steve@webcommons.biz wrote:
> bryce@hrnz.co.nz wrote:
>
>
>>Should I be able to download the Win32 binary from the download link?
>>Every time I try clicking on link on that page of:
>>"Win32 Binary (Self extracting): apache_1.3.34-win32-x86-no_src.exe"
>>I get the requested url was not found on server. Does not matter what
>>mirror I use. Looking under available binaries I only see 1.3.33
>>versions available.
>>
>>Regards, Bryce.
>
>
> It's November 5, and I still cannot find 1.3.34 on any of the mirrors.
> I also only see 1.3.33 versions available.

Well, Apache 1.x was a Unix/family architecture, that ported clumsily
to make a distinctly suboptimal server on windows. Apache 2.0 is the
first version to be truly cross-platform. Given that Apache 1 has now
been obsolete for more than three and a half years, why are you still
using it?

--
Nick Kew

Why? Because I like to replicate what my hosting company is using for
the sake of local testing. I could jump ahead and test with Apache
2.0, but I don't see the point if my hosting company isn't. Of course,
what I do isn't a recommendation for others to follow.