Two denial of service attacks were found in the Apache 2.0 code this week - both concerned with memory usage when sending large requests. The first was that the server did not respect the maximum header field length, and would consume memory indefinitely while reading a header line.. . .
Two denial of service attacks were found in the Apache 2.0 code this week - both concerned with memory usage when sending large requests. The first was that the server did not respect the maximum header field length, and would consume memory indefinitely while reading a header line. A fix for this was quickly checked in. The second problem remains unconfirmed; using an httpd.conf from an old installation of 2.0 with the current code can cause a GET request with a large body to leak memory. Neither of these problems are known to affect Apache 1.3.

The 2.0 tree was tagged for a 2.0.27 release, and the live server at apache.org was updated to this code from the CVS snapshot it was running previously. The snapshot had been live for a week without any significant problems. The group indicated that after the 2.0.27 code had been running for three days, a public release would be made (barring any problems).

A decision was taken recently to move the SSL configuration directives out of the default httpd.conf (as in an Apache 1.3/mod_ssl installation) into a separate file, ssl.conf, to simplify administration of the plethora of directives for this module. This file has now been populated with the default configuration from mod_ssl 2.8.

The link for this article located at ApacheWeek is no longer available.