Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > June 2005 > Apache HTTP Server 2.1.6-alpha Released

June 2005

Apache HTTP Server 2.1.6-alpha Released

ID: 00523
Ref: 483/2005
Date: 28 June 2005:14:45:07
Version: 1
Title: Apache HTTP Server 2.1.6-alpha Released
Abstract:
Vendors affected: Apache
Operating systems affected: Apache
Applications affected: Apache
Title
=====

Apache HTTP Server 2.1.6-alpha Released

Detail
======

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.1.6-alpha of the Apache
HTTP Server ("Apache"). This alpha release should not be presumed to
be compatible with binaries built against any prior or future version.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apache HTTP Server 2.1.6-alpha Released

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.1.6-alpha of the Apache
HTTP Server ("Apache"). This alpha release should not be presumed to
be compatible with binaries built against any prior or future version.

The 2.1.6-alpha release addresses a security vulnerability present
in all previous 2.x versions. This fault did not affect Apache 1.3.x
(which did not proxy keepalives or chunked transfer encoding);

Proxy HTTP: If a response contains both Transfer-Encoding
and a Content-Length, remove the Content-Length to eliminate
an HTTP Request Smuggling vulnerability and don't reuse the
connection, stopping some HTTP Request Spoofing attacks.

The Apache HTTP Server Project thanks the Watchfire team of Linhart,
Klein, Heled and Orrin for the responsible notification and disclosure
of this information.

Apache HTTP Server 2.1.6-alpha is available for download from:

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.1 file, linked from the above page, for a full
list of changes.

Apache 2.1 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced after 2.0 please see:

http://httpd.apache.org/docs-2.1/new_features_2_2.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCwKmC94h19kJyHwARAvBgAJ9yv/vSYThPd3+BA5axX5B6eKuC2QCfUqXm
zCsd3SPiLcSnSTDE0r1844I=
=G1cX
- -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |