Apache 2.4.10 发布了,该版本修正一些安全漏洞,新特性有代理FGI和websocket增强,mod_proxy后端支持Unix Domain Socket,mod_lua和mod_ssl增强等。
修复的 Bug 包括: CVE-2014-0117
mod_proxy: Fix crash in Connection header handling which
allowed a denial of service attack against a reverse proxy
with a threaded MPM. CVE-2014-3523
Fix a memory consumption denial of service in the WinNT MPM (used in all Windows
installations). Workaround: AcceptFilter {none|connect} CVE-2014-0226
Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow. CVE-2014-0118
mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to avoid
denial of sevice via highly compressed bodies. See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
and DeflateInflateRatioBurst. CVE-2014-0231
mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child processes
filling up the scoreboard and eventually hanging the server. By
default, the client I/O timeout (Timeout directive) now applies to
communication with scripts. The CGIDScriptTimeout directive can be
used to set a different timeout for communication with scripts.
新特性: Proxy FGI and websockets improvements Proxy capability via handler Finer control over scoping of RewriteRules Unix Domain Socket (UDS) support for mod_proxy backends. Support for larger shared memory sizes for mod_socache_shmcb mod_lua and mod_ssl enhancements Support named groups and backreferences within the LocationMatch,
DirectoryMatch, FilesMatch and ProxyMatch directives.
| 
