[ANN] Apache HTTP Server 2.0.52 Released

Apache HTTP Server 2.0.52 Released

The Apache Software Foundation and the The Apache HTTP Server Project are
pleased to announce the release of version 2.0.52 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
in 2.0.52 as compared to 2.0.51. The Announcement is also available in
German and Japanese from:

http://www.apache.org/dist/httpd/Announcement2.txt.de
http://www.apache.org/dist/httpd/Announcement2.txt.ja

This version of Apache is principally a bug fix release. Of
particular note is that 2.0.52 addresses one new security related
flaw introduced in 2.0.51:

Fix merging of the Satisfy directive, which was applied to
the surrounding context and could allow access despite configured
authentication.
[http://cve.mitre.org/cgi-bin/cvename...CAN-2004-0811]

The Apache HTTP Server Project would like to thank Rici Lake for
identification and a proposed fix of this flaw.

This release is compatible with modules compiled for 2.0.42 and
later versions. We consider this release to be the best version of
Apache available and encourage users of all prior versions to
upgrade.

Apache HTTP Server 2.0.52 is available for download from

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.

Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see

http://httpd.apache.org/docs-2.0/new_features_2_0.html

When upgrading or installing this version of Apache, please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.

Hi,

I have two Debian Woody installations running. Both run Apache2 from
backports. The production machine currently uses 2.0.51-1, where a new
one uses 2.0.52.0. Both run the Worker MPM (default).

I have copied the config over from the production machine where
everything works just fine.

On the new machine (2.0.52) all my reverse proxies fail to work giving
me Forbidden errors (403). Relevant log lines (error log):
========================
[Fri Oct 01 08:03:30 2004] [error] [client 192.168.6.52] client denied
by server configuration: proxy:http://www.mydomain.com/favicon.ico
========================
and the corresponding access log:
========================
192.168.6.52 - - [01/Oct/2004:08:03:30 +0100] "GET /favicon.ico
HTTP/1.1" 403 213 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1;
rv:1.7.3) Gecko/20040913 Firefox/0.10"
========================
where favicon.ico can be any file. They all show the same behaviour.

I checked it. The two configs look identical to me (well IPs I did
change). Non-proxy VirtualHosts are still OK, just the ones with
Proxying fail. Are there known changes to either the proxy modules or
possible side effects of other changes?
Find my config below

Alexander


<VirtualHost X.X.X.X:80>
ServerName test.mydomain.com
ServerAdmin admin@mydomain.com
ErrorLog /var/log/apache2/test.mydomain.com-error.log
CustomLog /var/log/apache2/test.mydomain.com-access.log
combined

# prevent cross-site tracing
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

# reverse proxy settings
ProxyRequests On
ProxyPass / http://test.mydomain.com/
ProxyPassReverse / http://test.mydomain.com/

# LimitExcept GET POST ?? gut ??
# deflate section
# check http://httpd.apache.org/docs-2.0/mod/mod_deflate.html
# for details
#
<Location />

# Insert filter
SetOutputFilter DEFLATE

# Netscape 4.x has some problems...
BrowserMatch ^Mozilla/4 gzip-only-text/html

# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip

# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

# Don't compress images
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$
no-gzip dont-vary
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</Location>

</VirtualHost>