Apache httpd 2.0.51 Released

djh101010 writes "apache.org has announced version 2.0.51 of their webserver, which is a bug-fix (rather than a feature) release. There are 5 security vulnerabilities addressed by this release, so if you're using mod_ssl, IPv6, or a couple other things, it's worth taking a look at what was fixed."

mod_perl

[embobo]

Is mod_perl 2.0 ready for prime time yet? Last time I checked--a few months ago--the core was there but the mp 1.x emulation didn't work very well and some important modules, e.g., Apache::AuthCookie weren't ported yet. I went back to 1.x.

Vuln list; is Apache 1.3 effected as well?

[molo]

Here is the list of vulnerabilities. For more information (including a list of effected versions), see the Apache Week listing.

Does anyone have any information about whether the mod_ssl DoS vuln effects Apache 1.3.x as well? Thanks. -molo

An input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy.
[CAN-2004-0786]

A buffer overflow in configuration file parsing could allow a local user to gain the privileges of a httpd child if the server can be forced to parse a carefully crafted .htaccess file.
[CAN-2004-0747]

A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured.
[CAN-2004-0751]

A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort.
[CAN-2004-0748]

A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh request.
[CAN-2004-0809]