Update to 1.3.34. This is a security fix release, fix pkg/31868 by

Zafer Aydogan. Changes from 1.3.33:
  *) hsregex: fix potential core dumping on 64 bit machines, such as
     AMD64. PR 31858. [Glenn Strauss < gs-apache-dev gluelogic.com>]

  *) SECURITY: core: If a request contains both Transfer-Encoding and
     Content-Length headers, remove the Content-Length, mitigating some
     HTTP Request Splitting/Spoofing attacks.  This has no impact on
     mod_proxy_http, yet affects any module which supports chunked
     encoding yet fails to prefer T-E: chunked over the Content-Length
     purported value.  [Paul Querna, Joe Orton]

  *) Added TraceEnable [on|off|extended] per-server directive to alter
     the behavior of the TRACE method.  This addresses a flaw in proxy
     conformance to RFC 2616 - previously the proxy server would accept
     a TRACE request body although the RFC prohibited it.  The default
     remains 'TraceEnable on'.
     [William Rowe]

  *) mod_digest: Fix another nonce string calculation issue.
     [Eric Covener]

0 files changed, 0 insertions, 0 deletions