Apache HTTP Server 1.3.42 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 1.3.42 of the Apache HTTP Server ("Apache"). This release is intended as the final release of version 1.3 of the Apache HTTP Server, which has reached end of life status.

There will be no more full releases of Apache HTTP Server 1.3. However, critical security updates may be made available from the following website:

http://www.apache.org/dist/httpd/patches/

Our thanks go to everyone who has helped make Apache HTTP Server 1.3 the most successful, and most used, webserver software on the planet!

This Announcement notes the significant changes in 1.3.42 as compared to 1.3.41.

This version of Apache is is principally a bug and security fix release. The following moderate security flaw has been addressed:

• CVE-2010-0010: mod_proxy: Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.

Please see the CHANGES_1.3.42 file in this directory for a full list of changes for this version.

Apache 1.3.42 is the final stable release of the Apache 1.3 family. We strongly recommend that users of all earlier versions, including 1.3 family releases, upgrade to to the current 2.2 version as soon as possible. For information about how to upgrade, please see the documentation:

http://httpd.apache.org/docs/2.2/upgrading.html

Apache 1.3.42 is available for download from

http://httpd.apache.org/download.cgi

Please see the CHANGES_1.3 file, linked from the above page, for a full list of changes. A condensed list, CHANGES_1.3.42 provides the complete list of changes since 1.3.41.

This service utilizes the network of mirrors listed at:

http://www.apache.org/mirrors/

Binary distributions may be available for your specific platform from

http://www.apache.org/dist/httpd/binaries/

Binaries distributed by the Apache HTTP Server Project are provided as a courtesy by individual project contributors. The project makes no commitment to release the Apache HTTP Server in binary form for any particular platform, nor on any particular schedule.

IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS variants. While the ports to non-Unix platforms (such as Win32, Netware or OS2) will function for some applications, Apache 1.3 is not designed for these platforms. Apache 2 was designed from the ground up for security, stability, or performance issues across all modern operating systems. Users of any non-Unix ports are strongly cautioned to move to Apache 2.

The Apache project no longer distributes non-Unix platform binaries from the main download pages for Apache 1.3. If absolutely necessary, a binary may be available at http://archive.apache.org/dist/httpd/.

Apache is the most popular web server in the known universe; over 2/3 of the servers on the Internet run Apache HTTP Server, or one of its variants.

Apache 1.3.42 Major changes

Security vulnerabilities

The main security vulnerabilities addressed in 1.3.42 are:

CVE-2010-0010 (cve.mitre.org)

mod_proxy: Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.

Bugs fixed

The following bugs were found in Apache 1.3.41 (or earlier) and have been fixed in Apache 1.3.42:

• Protect logresolve from mismanaged DNS records that return blank/null hostnames