Apache HTTP Server 1.3.34 Released
The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 1.3.34 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 1.3.34 as compared to 1.3.33. This Announcement1.3 document may also be available in multiple languages at:
http://www.apache.org/dist/httpd/
This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of this document. A full listing of changes can be found in the CHANGES file. Of particular note is that 1.3.34 addresses and fixes 2 potential security issues:
If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks.
Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method.
We consider Apache 1.3.34 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family.
Apache 1.3.34 is available for download from
http://httpd.apache.org/download.cgi
Binary distributions are available from
http://www.apache.org/dist/httpd/binaries/
This service utilizes the network of mirrors listed at:
http://www.apache.org/mirrors/