Apache HTTP Server 2.4.10 发布

Apache 2.4.10 发布了，该版本修正一些安全漏洞，新特性有代理FGI和websocket增强，mod_proxy后端支持Unix Domain Socket，mod_lua和mod_ssl增强等。

修复的 Bug 包括：

CVE-2014-0117     mod_proxy: Fix crash in Connection header handling which     allowed a denial of service attack against a reverse proxy     with a threaded MPM.

CVE-2014-3523     Fix a memory consumption denial of service in the WinNT MPM (used in all Windows     installations). Workaround: AcceptFilter  {none|connect}

CVE-2014-0226     Fix a race condition in scoreboard handling, which could lead to     a heap buffer overflow.

CVE-2014-0118     mod_deflate: The DEFLATE input filter (inflates request bodies) now     limits the length and compression ratio of inflated request bodies to avoid     denial of sevice via highly

compressed bodies.  See directives     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,     and DeflateInflateRatioBurst.
CVE-2014-0231     mod_cgid: Fix a denial of service against CGI scripts that do     not consume stdin that could lead to lingering HTTPD child processes     filling up the scoreboard and eventually hanging the server.  By     default, the client I/O timeout (Timeout directive) now applies to     communication with scripts.  The CGIDScriptTimeout directive can be     used to set a different timeout for communication with scripts.

新特性：

Proxy FGI and websockets improvements
Proxy capability via handler
Finer control over scoping of RewriteRules
Unix Domain Socket (UDS) support for mod_proxy backends.
Support for larger shared memory sizes for mod_socache_shmcb
mod_lua and mod_ssl enhancements
Support named groups and backreferences within the LocationMatch,     DirectoryMatch, FilesMatch and ProxyMatch directives.