This evening, all Mr.Host web servers were upgraded to Apache 2.2.20.
This version is principally a security (CVE-2011-3192) and bugfix release .
Changes with Apache 2.2.20
- SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file. PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
- mod_authnz_ldap: If the LDAP server returns constraint violation, don’t treat this as an error but as “auth denied”. [Stefan Fritsch]
- mod_filter: Fix FilterProvider conditions of type “resp=” (response headers) for CGI. [Joe Orton, Rainer Jung]
- mod_reqtimeout: Fix a timed out connection going into the keep-alive state after a timeout when discarding a request body. PR 51103. [Stefan Fritsch]
- core: Do the hook sorting earlier so that the hooks are properly sorted for the pre_config hook and during parsing the config. [Stefan Fritsch]