Mailing List Archive

Apache HTTP Server 2.1.6-alpha Released
Hash: SHA1

Apache HTTP Server 2.1.6-alpha Released

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.1.6-alpha of the Apache
HTTP Server ("Apache"). This alpha release should not be presumed to
be compatible with binaries built against any prior or future version.

The 2.1.6-alpha release addresses a security vulnerability present
in all previous 2.x versions. This fault did not affect Apache 1.3.x
(which did not proxy keepalives or chunked transfer encoding);

Proxy HTTP: If a response contains both Transfer-Encoding
and a Content-Length, remove the Content-Length to eliminate
an HTTP Request Smuggling vulnerability and don't reuse the
connection, stopping some HTTP Request Spoofing attacks.

The Apache HTTP Server Project thanks the Watchfire team of Linhart,
Klein, Heled and Orrin for the responsible notification and disclosure
of this information.

Apache HTTP Server 2.1.6-alpha is available for download from:

Please see the CHANGES_2.1 file, linked from the above page, for a full
list of changes.

Apache 2.1 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced after 2.0 please see:
Version: GnuPG v1.2.4 (Darwin)