Apache Web server updated to fix CVE-2016-8743

We’ve upgraded our Apache Web server software to fix the security bug CVE-2016-8743.

Customers should not notice any changes, with one exception: If you’ve written your own software, and that software contains certain bugs that haven’t previously been noticed, the update may cause the bugs to be more visible.

As an example, the update makes Apache refuse to serve a page if you’re using PHP code that outputs an invalid HTTP header. It would previously just ignore the header.

Consider this PHP code. It has a bug, which is that it includes an extra space after “Expires”:

header ("Expires : Thu, 01 Dec 1994 16:00:00 GMT");

The web server software would previously ignore that problem, but now it leads to this in the error logs:

Response header name 'Expires ' contains invalid characters, aborting request

Similarly, this code contains a space in the words “Last Modified”:

header("Last Modified: $time");

Which causes this:

Response header name 'Last Modified' contains invalid characters, aborting request

The correct header name in that example should be Last-Modified, with a hyphen. Spaces are never allowed in HTTP headers.

Other software bugs that this can make visible are the use of only carriage return characters, or only linefeed characters, in HTTP request headers (instead of using both CR and LF as the HTTP standard requires).

If anything related to this happens to you, let us know and we can help you track down and fix it.