Novell is now a part of Micro Focus

Security update for Apache2

Knowledgebase

(Last modified: 25JUN2007)


solutions Security update for Apache2 SuSE Linux Maintenance Web (26c3e83f9771093dfc1fecccbe79c9fe)

Applies to

Package: apache2
apache2-worker
apache2-perchild
apache2-prefork
apache2-leader
apache2-metuxmpm
apache2-devel
apache2-doc
apache2-example-pages
libapr0
Product(s): SUSE CORE 9 for x86
SUSE CORE 9 for Itanium Processor Family
SUSE CORE 9 for IBM POWER
SUSE CORE 9 for IBM S/390 31bit
SUSE CORE 9 for IBM zSeries 64bit
SUSE CORE 9 for AMD64 and Intel EM64T
Novell Linux Desktop 9 for x86
Novell Linux Desktop 9 for x86_64
Novell Linux POS 9
Open Enterprise Server
Patch: patch-11559
Release: 20070625
Obsoletes: none

Indications

Everybody using Apache should update.

Contraindications

None.

Problem description

Update from 2.0.49 to 2.0.59. The new version has following uncritical changes (for each version only the important changes):
Changes with Apache 2.0.59 / Changes with Apache 2.0.57
  • mod_cgid: run the get_suexec_identity hook within the request-handler instead of within cgid. PR 36410. [Colm MacCarthaigh]
  • core: Prevent read of unitialized memory in ap_rgetline_core. PR 39282. [Davi Arnaut <davi haxent.com.br>]
  • mod_proxy: Report the proxy server name correctly in the "Via:" header, when UseCanonicalName is Off. PR 11971. [Martin Kraemer]
  • HTML-escape the Expect error message. Not classed as security as an attacker has no way to influence the Expect header a victim will send to a target site. Reported by Thiago Zaninotti <thiango nstalker.com>. [Mark Cox]
Changes with Apache 2.0.56
  • new feature: Add APR/APR-Util Compiled and Runtime Version numbers to the output of 'httpd -V'. [William Rowe]
  • Ensure that the proper status line is written to the client, fixing incorrect status lines caused by filters which modify r->status without resetting r->status_line, such as the built-in byterange filter. [Jeff Trawick]
  • Default handler: Don't return output filter apr_status_t values. PR 31759. [Jeff Trawick, Ruediger Pluem, Joe Orton]
  • mod_speling: Stop crashing with certain non-file requests. [Jeff Trawick]
  • keep the Content-Length header for a HEAD with no response body. PR 18757 [Greg Ames]
  • Avoid server-driven negotiation when a CGI script has emitted an explicit "Status:" header. PR 38070. [Nick Kew]
  • new feature: mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o format is used. PR 27787. [Andr� Malo]
  • mod_cache: Correctly handle responses with a 301 status. PR 37347. [Paul Querna]
  • mod_proxy_http: Prevent data corruption of POST request bodies when client accesses proxied resources with SSL. PR 37145. [Ruediger Pluem, William Rowe]
  • mod_ssl: Correct issue where mod_ssl does not pick up the ssl-unclean-shutdown setting when configured. PR 34452. [Joe Orton]
  • mod_deflate: Merge the Vary header, instead of Setting it. Fixes applications that send the Vary Header themselves. PR 37559. [Paul Querna]
  • mod_dav: Fix a null pointer dereference in an error code path during the handling of MKCOL. [Ghassan Misherghi <ghassanm ucdavis.edu>]
  • Write message to error log if AuthGroupFile cannot be opened. PR 37566. [R�diger Pl�m]
  • new feature: Add ReceiveBufferSize directive to control the TCP receive buffer. [Eric Covener <covener gmail.com>]
  • mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125. [Paul Querna]
  • Remove the base href tag from proxy_ftp, as it breaks relative links for clients not using an Authorization header. [Graham Leggett, Jon Snow <jsnow27 gatesec.net>]
  • new feature (added command line tool): Add httxt2dbm to support/ for creating RewriteMap DBM Files. [Paul Querna]
  • Chunk filter: Fix chunk filter to create correct chunks in the case that a flush bucket is surrounded by data buckets. [Ruediger Pluem]
  • mod_cgi(d): Remove block on OPTIONS method so that scripts can respond to OPTIONS directly rather than via server default. [Roy Fielding] PR 15242
  • new feature: Added new module mod_version, which provides version dependent configuration containers. [Andr� Malo]
  • new feature (new function): Add core version query function (ap_get_server_revision) and accompanying ap_version_t structure (minor MMN bump). [Andr� Malo]
Changes with Apache 2.0.55
  • mod_ldap: Fix PR 36563. Keep track of the number of attributes retrieved from LDAP so that all of the values can be properly cached even if the value is NULL. [Brad Nicholes, Ondrej Sury <ondrej sury.org>]
  • new feature, remains compatible and behaviour is unchanged: Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method. This addresses a flaw in proxy conformance to RFC 2616 - previously the proxy server would accept a TRACE request body although the RFC prohibited it. The default remains 'TraceEnable on'. [William Rowe]
  • added logging function: Add ap_log_cerror() for logging messages associated with particular client connections. [Jeff Trawick]
  • Correct mod_cgid's argv[0] so that the full path can be delved by the invoked cgi application, to conform to the behavior of mod_cgi. [Pradeep Kumar S <pradeep.smani gmail.com>]
  • mod_include: Fix possible environment variable corruption when using nested includes. PR 12655. [Joe Orton]
  • Support the suppress-error-charset setting, as with Apache 1.3.x. PR 31274. [Jeff Trawick]
  • Fix bad globbing comparison which could result in getting a directory listing when a file was requested. PR 34512. [sean <infamous41md hotmail.com>]
  • Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker() was called even if mod_auth_ldap_check_user_id() was not (or if it didn't succeed) for non-authoritative cases. [Jim Jagielski]
  • mod_proxy: Fix over-eager handling of '%' for reverse proxies. PR 15207. [Jim Jagielski]
  • mod_ldap: Fix various shared memory cache handling bugs. PR 34209. [Joe Orton]
  • Fix a file descriptor leak when starting piped loggers. PR 33748. [Joe Orton]
  • mod_ldap: Avoid segfaults when opening connections if using a version of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes]
  • proxy HTTP: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection, mitigating some HTTP Response Splitting attacks. [Jeff Trawick]
  • Prevent hangs of child processes when writing to piped loggers at the time of graceful restart. PR 26467. [Jeff Trawick]
  • mod_userdir: Fix possible memory corruption issue. PR 34588. [David Leonard <dleonard vintela.com>]
  • worker mpm: don't take down the whole server for a transient thread creation failure. PR 34514 [Greg Ames]
  • feature: mod_rewrite: use buffered I/O to improve performance with large RewriteMap txt: files. [Greg Ames]
  • proxy HTTP: Rework the handling of request bodies to handle chunked input and input filters which modify content length, and avoid spooling arbitrary-sized request bodies in memory. PR 15859. [Jeff Trawick]
Changes with Apache 2.0.54
  • new feature, was L3: mod_cache: Add CacheIgnoreHeaders directive. PR 30399. [R�diger Pl�m <r.pluem t-online.de>]
  • new feature: mod_ldap: Added the directive LDAPConnectionTimeout to configure the ldap socket connection timeout value. [Brad Nicholes]
  • Correctly export all mod_dav public functions. [Branko Cibej <brane xbc.nu>]
  • worker MPM: Fix a problem which could cause httpd processes to remain active after shutdown. [Jeff Trawick]
  • Unix MPMs: Shut down the server more quickly when child processes are slow to exit. [Joe Orton, Jeff Trawick]
  • Remove formatting characters from ap_log_error() calls. These were escaped as fallout from CVE-2003-0020. [Eric Covener <ecovener gmail.com>]
  • mod_ssl: If SSLUsername is used, set r->user earlier. PR 31418. [David Reid]
  • htdigest: Fix permissions of created files. PR 33765. [Joe Orton]
  • core_input_filter: Move buckets to a persistent brigade instead of creating a new brigade. This stop a memory leak when proxying a Streaming Media Server. PR 33382. [Paul Querna]
Changes with Apache 2.0.53
  • mod_proxy: Fix ProxyRemoteMatch directive. PR 33170. [Rici Lake <rici ricilake.net>]
  • mod_proxy: Respect errors reported by pre_connection hooks. [Jeff Trawick]
  • new feature: mod_dumpio, an I/O logging/dumping module, added to the modules/expermimental subdirectory. [Jim Jagielski]
  • mod_ssl: fail quickly if SSL connection is aborted rather than making many doomed ap_pass_brigade calls. PR 32699. [Joe Orton]
  • Remove compiled-in upper limit on LimitRequestFieldSize. [Bill Stoddard]
  • Start keeping track of time-taken-to-process-request again for mod_status if ExtendedStatus is enabled. [Jim Jagielski]
  • mod_proxy: Handle client-aborted connections correctly. PR 32443. [Janne Hietam�ki, Joe Orton]
  • Fix handling of files >2Gb on all platforms (or builds) where apr_off_t is larger than apr_size_t. PR 28898. [Joe Orton]
  • mod_include: Fix bug which could truncate variable expansions of N*64 characters by one byte. PR 32985. [Joe Orton]
  • Correct handling of certain bucket types in ap_save_brigade, fixing possible segfaults in mod_cgi with #include virtual. PR 31247. [Joe Orton]
  • new feature Allow for the use of --with-module=foo:bar where the ./modules/foo directory is local only. Assumes, of course, that the required files are in ./modules/foo, but makes it easier to statically build/log "external" modules. [Jim Jagielski]
  • new feature: Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that ldap authorization only modules have access to the util_ldap user cache without having to require ldap authentication as well. PR 31898. [Jari Ahonen jah progress.com, Brad Nicholes]
  • new feature: mod_auth_ldap: Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. PR 31913 [Ryan Morgan <rmorgan pobox.com>]
  • mod_ssl: Fail at startup rather than segfault at runtime if a client cert is configured with an encrypted private key. PR 24030. [Joe Orton]
  • apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448 [Joe Orton]
  • mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d. [Jeff Trawick]
  • mod_cache: CacheDisable will only disable the URLs it was meant to disable, not all caching. PR 31128. [Edward Rudd <eddie omegaware.com>, Paul Querna]
  • mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale cache responses. [Justin Erenkrantz]
  • mod_rewrite: Handle per-location rules when r->filename is unset. Previously this would segfault or simply not match as expected, depending on the platform. [Jeff Trawick]
  • mod_rewrite: Fix 0 bytes write into random memory position. PR 31036. [Andr� Malo]
  • mod_disk_cache: Do not store aborted content. PR 21492. [R�diger Pl�m <r.pluem t-online.de>]
  • mod_disk_cache: Correctly store cached content type. PR 30278. [R�diger Pl�m <r.pluem t-online.de>]
  • mod_ldap: prevent the possiblity of an infinite loop in the LDAP statistics display. PR 29216. [Graham Leggett]
  • mod_ldap: fix a bogus error message to tell the user which file is causing a potential problem with the LDAP shared memory cache. PR 31431 [Graham Leggett]
  • Fix the re-linking issue when purging elements from the LDAP cache PR 24801. [Jess Holle <jessh ptc.com>]
  • mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz]
  • Fix Expires handling in mod_cache. [Justin Erenkrantz]
  • Alter mod_expires to run at a different filter priority to allow proper Expires storage by mod_cache. [Justin Erenkrantz]
Changes with Apache 2.0.52
  • Fix the global mutex crash when the global mutex is never allocated due to disabled/empty caches. [Jess Holle <jessh ptc.com>]
  • Fix the handling of URIs containing %2F when AllowEncodedSlashes is enabled. Previously, such urls would still be rejected. [Jeff Trawick, Bill Stoddard]
  • mod_mem_cache: Fixed race condition causing segfault because of memory being freed twice, or reused after being freed. [J. Clar, W. Stoddard, G. Ames]
  • new feature Add -l option to rotatelogs to let it use local time rather than UTC. PR 24417. [Ken Coar, Uli Zappe <uli ritual.org>]
  • mod_log_config: Fix a bug which prevented request completion time from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE processing. PR 29696. [Alois Treindl <alois astro.ch>]
Changes with Apache 2.0.51
  • new feature mod_include no longer checks for recursion, because that's done in the core. This allows for careful usage of recursive SSI. [Andr� Malo]
  • Fix memory leak in the cache handling of mod_rewrite. PR 27862. [chunyan sheng <shengperson yahoo.com>, Andr� Malo]
  • Include directives no longer refuse to process symlinks on directories. Instead there's now a maximum nesting level of included directories (128 as distributed). This is configurable at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch. PR 28492. [Andr� Malo]
  • mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups. PR 30464. [Joe Orton, Madhusudan Mathihalli]
  • feature mod_ssl: Add new 'ssl_is_https' optional function. [Joe Orton]
  • Prevent CGI script output which includes a Content-Range header from being passed through the byterange filter. [Joe Orton]
  • feature Satisfy directives now can be influenced by a surrounding <Limit> container. PR 14726. [Andr� Malo]
  • feature mod_rewrite now officially supports RewriteRules in <Proxy> sections. PR 27985. [Andr� Malo]
  • new features (we partly had them as backports): mod_disk_cache: Implement binary format for on-disk header files. [Brian Akins <bakins web.turner.com>, Justin Erenkrantz]
  • mod_disk_cache: Optimize network performance of disk cache subsystem by allowing zero-copy (sendfile) writes and other miscellaneous fixes. [Justin Erenkrantz]
  • mod_cache, mod_disk_cache, mod_mem_cache: Refactor cache modules, and switch to the provider API instead of hooks. [Justin Erenkrantz]
  • mod_autoindex: Don't truncate the directory listing if a stat() call fails (for instance on a >2Gb file). PR 17357. [Joe Orton]
  • feature Makefile fix: httpd is linked against LIBS given to the 'make' invocation. PR 7882. [Joe Orton]
  • mod_ssl: Add "SSLUserName" directive to set r->user based on a chosen SSL environment variable. PR 20957. [Martin v. Loewis <martin v.loewis.de>]
  • mod_ssl: Avoid startup failure after unclean shutdown if using shmcb. PR 18989. [Joe Orton]
  • mod_userdir: Ensure that the userdir identity is used for suexec userdir access in a virtual host which has suexec configured. PR 18156. [Joshua Slive]
  • mod_rewrite no longer confuses the RewriteMap caches if different maps defined in different virtual hosts use the same map name. PR 26462. [Andr� Malo]
  • mod_setenvif: Remove "support" for Remote_User variable which never worked at all. PR 25725. [Andr� Malo]
  • Backport from 2.1 / Regression from 1.3: mod_headers now knows again the functionality of the ErrorHeader directive. But instead using this misnomer additional flags to the Header directive were introduced ("always" and "onsuccess", defaulting to the latter). PR 28657. [Andr� Malo]
  • mod_usertrack: Escape the cookie name before pasting into the regexp. [Andr� Malo]
  • Extend the SetEnvIf directive to capture subexpressions of the matched value. [Andr� Malo]
  • Recursive Include directives no longer crash. The server stops including configuration files after a certain nesting level (128 as distributed). This is configurable at compile time using the -DAP_MAX_INCLUDE_DEPTH switch. PR 28370. [Andr� Malo]
  • new feature, backwards compatible and no change in behaviour mod_dir: the trailing-slash behaviour is now configurable using the DirectorySlash directive. [Andr� Malo]
  • Allow proxying of resources that are invoked via DirectoryIndex. PR 14648, 15112, 29961. [Andr� Malo]
  • Enable special ErrorDocument value 'default' which restores the canned server response for the scope of the directive. [Geoffrey Young, Andr� Malo]
  • work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack is set in r->subprocess_env allow mismatched query strings to pass. PR 27758. [Paul Querna, Geoffrey Young]
  • new feature Accept URLs for the ServerAdmin directive. If the supplied argument is not recognized as an URL, assume it's a mail address. PR 28174. [Andr� Malo, Paul Querna]
  • new feature initialize server arrays prior to calling ap_setup_prelinked_modules so that static modules can push Defines values when registering hooks just like DSO modules can ["Philippe M. Chiasson" <gozer cpan.org>]
  • Small fix to allow reverse proxying to an ftp server. Previously an attempt to do this would try and connect to 0.0.0.0, regardless of the server specified. PR 24922 [Pascal Terjan <pterjan@linuxfr.org>]
Changes with Apache 2.0.50
  • long awaited bugfix :) mod_cgi: Handle output on stderr during script execution on Unix platforms; preventing deadlock when stderr output fills pipe buffer. Also fixes case where stderr from nph- scripts could be lost. PR 22030, 18348. [Joe Orton, Jeff Trawick]
  • very nice new feature :) mod_alias now emits a warning if it detects overlapping *Alias* directives. [Andr� Malo]
  • mod_rewrite no longer turns forward proxy requests into reverse proxy requests. PR 28125 [ast domdv.de, Andr� Malo]
  • <VirtualHost myhost> now applies to all IP addresses for myhost instead of just the first one reported by the resolver. This corrects a regression since 1.3. [Jeff Trawick]
  • mod_dav_fs: Fix MKCOL response for missing parent collections, which caused issues for the Eclipse WebDAV extension. PR 29034. [Joe Orton]
  • mod_deflate: Fix memory consumption (which was proportional to the response size). PR 29318. [Joe Orton]
  • mod_ssl: Log the errors returned on failure to load or initialize a crypto accelerator engine. [Joe Orton]
  • new feature: Allow RequestHeader directives to be conditional. PR 27951. [Vincent Deffontaines <vincent gryzor.com>, Andr� Malo]
  • Fix a bunch of cases where the return code of the regex compiler was not checked properly. This affects: mod_setenvif, mod_usertrack, mod_proxy, mod_proxy_ftp and core. PR 28218. [Andr� Malo]
  • mod_ssl: Fix a potential segfault in the 'shmcb' session cache for small cache sizes. PR 27751. [Geoff Thorpe <geoff geoffthorpe.net>]
  • Remove 2Gb log file size restriction on some 32-bit platforms. PR 13511. [Joe Orton]
  • Regression from 1.3: At startup, suexec now will be checked for availability, the setuid bit and user root. The works only if httpd is compiled with the shipped APR version (0.9.5). PR 28287. [Andr� Malo]
  • Unix MPMs: Stop dropping connections when the file descriptor is at least FD_SETSIZE. [Jeff Trawick]
  • Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick]
  • Fix a segfault when requests for shared memory fails and returns NULL. Fix a segfault caused by a lack of bounds checking on the cache. PR 24801. [Graham Leggett]
  • Quotes cannot be used around require group and require dn directives, update the documentation to reflect this. Also add quotes around the dn and group within debug messages, to make it more obvious why authentication is failing if quotes are used in error. PR 19304. [Graham Leggett]
  • Ensure that lines in the request which are too long are properly terminated before logging. [Tsurutani Naoki <turutani scphys.kyoto-u.ac.jp>]
  • mod_dav: Fix a problem that could cause crashes when manipulating locks on some platforms. [Jeff Trawick]
  • mod_headers no longer crashes if an empty header value should be added. [Andr� Malo]
  • Fix segfault in mod_expires, which occured under certain circumstances. PR 28047. [Andr� Malo]
  • mod_ssl: Fix memory leak in session cache handling. PR 26562 [Madhusudan Mathihalli]
  • mod_ssl: Fix potential segfaults when performing SSL shutdown from a pool cleanup. PR 27945. [Joe Orton]
  • Add forensic logging module (mod_log_forensic). [Ben Laurie]
  • Fix the comment delimiter in htdbm so that it correctly parses the username comment. Also add a terminate function to allow NetWare to pause the output before the screen is destroyed. [Guenter Knauf <eflash gmx.net>, Brad Nicholes]
  • Fix crash when Apache was started with no Listen directives. [Michael Corcoran <mcorcoran warpsolutions.com>]
  • core_output_filter: Fix bug that could result in sending garbage over the network when module handlers construct bucket brigades containing multiple file buckets all referencing the same open file descriptor. [Bojan Smojver]
  • Fix memory corruption problem with ap_custom_response() function. The core per-dir config would later point to request pool data that would be reused for different purposes on different requests. [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]
Changes with APR 0.9.11
  • Fixed 'make check' target to avoid invoking sub-programs of testshm, testshmconsumer and testshmproducer. [William Rowe]
Changes with APR 0.9.10
  • Minor bug fixes to address various platform build and run time issues.
Changes with APR 0.9.9
  • Prevent detection of robust mutex support with glibc 2.4, fixing APR_LOCK_PROC_PTHREAD locks. PR 38442. [Joe Orton]
  • Fix apr_strerror() with glibc 2.4. [Joe Orton]
  • Install mkdir.sh, make_exports.awk, make_var_export.awk to the APR installbuilddir, and provide working accessor variables in apr_rules.mk. [Max Bowsher]
  • Documented that apr_stat and apr_dir_read can return APR_INCOMPLETE, and how to determine which parts of the resulting apr_finfo_t can be used in such a case. [Garrett Rooney]
Changes with APR 0.9.7
  • Fix crash in apr_dir_make_recursive() for relative path when the working directory has been deleted. [Joe Orton]
  • Fix apr_file_read() to catch write failures when flushing pending writes for a buffered file. [Joe Orton]
  • Fix apr_file_write() infinite loop on write failure for buffered files. [Erik Huelsmann <ehuels gmail.com>]
  • Fix error handling where apr_uid_* and apr_gid_* could segfault or return APR_SUCCESS in failure cases. PR 34053. [Joe Orton, Paul Querna]
Changes with APR 0.9.6
  • new feature Add apr_threadattr_stacksize_set() for overriding the default stack size for threads created by apr_thread_create(). [Jeff Trawick]
Changes with APR 0.9.5
  • Prevent unbounded memory use during repeated operations on a hash table. [Julian Foad <julianfoad btopenworld.com>
  • Makes the threads to behave like on posix. If the thread is created without APR_DETACH expect that the thread_join will be called, so don't close the handle in advance, if the thread has already finished. [Mladen Turk]
  • Fix apr_snprintf() to respect precision for small floating point numbers. PR 29621. [Artur Zaprzala <zybi talex.pl>]
  • new feature: Add command type APR_SHELLCMD_ENV for creating a process which is started by the shell and which inherits the parent's environment variables. [Jeff Trawick]
  • Change default inter-process locking mechanisms: POSIX semaphores and pthread cross-process mutexes are not used by default; on Solaris, fcntl locks are used by default. [Joe Orton]
  • Remove apr_file_copy()'s 2Gb file size limit on some platforms. [Joe Orton]
  • Don't assume getnameinfo() can handle IPv4-mapped IPv6 addresses on any platforms. [Jeff Trawick, Joe Orton, Colm MacCarthaigh <colm stdlib.net>]
  • Support setuid, setgid and sticky file permissions bits on Unix. [Andr� Malo]
  • Fix sign error in apr_file_seek(APR_END). [Greg Hudson <ghudson MIT.EDU>]
  • Fix printing apr_int64_t values smaller than LONG_MIN on 32-bit platforms in apr_vformatter. [Joe Orton]
  • Fix apr_time_exp_get() for dates in 2038. [Philip Martin <philip codematters.co.uk>]
  • we had it as patch: Add APR_LARGEFILE flag to allow opening files with the O_LARGEFILE flag; not recommended for general use, see include/apr_file_io.h. [Joe Orton]
Changes with APR-util 0.9.9
  • Stop trying to link against Berkeley DB by default. To enable use of Berkeley DB users must now explicitly pass --with-berkeley-db to configure, since Berkeley DB is released under a viral license that requires distribution of source code for any program that uses it. [Garrett Rooney]
  • Stop trying to link against GDBM by default. To enable use of GDBM users must now explicitly pass --with-gdbm to configure, since GDBM is licensed under the GPL. [Garrett Rooney]
Changes with APR-util 0.9.7
  • Fix apr_rmm_realloc() offset calculation bug. [Keith Kelleman <keith.kelleman oracle.com>]
  • Fix handling of a premature EOF with the FILE bucket; a new bucket is not inserted for each attempt to read past EOF. PR 34708. [Jeff Trawick, Joe Orton]
  • new feature: Backport the apr_reslist_timeout_set and apr_reslist_invalidate functions already in APR 1.0.x. [Paul Querna]
Changes with APR-util 0.9.5
  • Guarantee and require default address alignment for block offsets within segments in the apr_rmm interface. PR 29873. [Joe Orton]
  • new feature: Restore support for SHA1 passwords in apr_validate_password. PR 17343. [Paul Querna <chip force-elite.com>]
  • Fix occasional crash in apr_rmm_realloc(). PR 22915. [Jay Shrauner <shrauner inktomi.com>]
  • Fix apr_dbm_exists() for sdbm when sizeof(int) != sizeof(size_t). [Joe Orton] more informations in bug #138612 it also includes patch from bug #210904

Solution

Please install the updates provided at the location noted below.

Installation notes

This update is provided as an RPM package that can easily be installed onto a running system by using this command:
rpm -Fvh apache2.rpm apache2-worker.rpm apache2-perchild.rpm apache2-prefork.rpm apache2-leader.rpm apache2-metuxmpm.rpm apache2-devel.rpm apache2-doc.rpm apache2-example-pages.rpm libapr0.rpm

links to download packages

Download Source Packages

Download the source code of the patches for maintained products.


Disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.

Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

© Micro Focus