发布于 2014-07-20 00:32:23 | 573 次阅读 | 评论: 0 | 来源: 网友投递
Apache Web服务器
Apache是世界使用排名第一的Web服务器软件。它可以运行在几乎所有广泛使用的计算机平台上,由于其跨平台和安全性被广泛使用,是最流行的Web服务器端软件。
Apache 2.4.10 发布了,该版本修正一些安全漏洞,新特性有代理FGI和websocket增强,mod_proxy后端支持Unix Domain Socket,mod_lua和mod_ssl增强等。
修复的 Bug 包括:
CVE-2014-0117 mod_proxy: Fix crash in Connection header handling which allowed a denial of service attack against a reverse proxy with a threaded MPM.
CVE-2014-3523 Fix a memory consumption denial of service in the WinNT MPM (used in all Windows installations). Workaround: AcceptFilter {none|connect}
CVE-2014-0226 Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow.
CVE-2014-0118 mod_deflate: The DEFLATE input filter (inflates request bodies) now limits the length and compression ratio of inflated request bodies to avoid denial of sevice via highly compressed bodies. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst.
CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. By default, the client I/O timeout (Timeout directive) now applies to communication with scripts. The CGIDScriptTimeout directive can be used to set a different timeout for communication with scripts.
新特性:
Proxy FGI and websockets improvements
Proxy capability via handler
Finer control over scoping of RewriteRules
Unix Domain Socket (UDS) support for mod_proxy backends.
Support for larger shared memory sizes for mod_socache_shmcb
mod_lua and mod_ssl enhancements
Support named groups and backreferences within the LocationMatch, DirectoryMatch, FilesMatch and ProxyMatch directives.