Errata: Pound


Last-Modified: 2004-03-30

What is Pound?

Pound is a program of HTTP/1.1 reverse-proxy and load-balancer. It is wonderful software, because it is very simple and small code. The performance and stability are depending on openssl and pthread library.


Latest version

Latest stable version of Pound is v1.7.

* Pound-1.7

Changes in this version:

- Fixed bug in X-SSL-CIPHER description: the description no longer
  causes problems by breaking the request
- Changed README to stx format for consistency
- Addedd X-SSL-certificate with full client certificate contents
- changed the old-style responses to support "streaming" mode. This
  should help especially OpenACS users:
- Improved the response times on HTTP/0.9 (content without 
  Content-length)
- Improved response granularity on above - using unbuffered BIO 
  functions now
- Fixed problem with IE/SSL (SSL_set_shutdown)
- Avoid error messages on premature EOF from client
- Fixed HeadRemove code so all headers are checked without exception
- Improved autoconf detection and fixed various compile-time problems
- Moved from select() to poll() in order to avoid limitations on the
  number of descriptors

* Pound-1.6

Changes in this version:

- Callback for RSA ephemeral keys:
    - generated in a separate thread
    - used if required
  this will allow certain versions of IE to work correctly with Pound/SSL.
- New X-SSL-cipher header encryption level/method
- Added CheckURL parameter in config file
    - perform syntax check only if value 1 (default 0)
- Allow for empty query/param strings in URL syntax
- Additional SSL engine loading code
- Added parameter for CA certificates
    - CA list is sent to client
- Verify client certificates up to given depth
- Fixed security vulnerability in syslog handling

The reason foe this rather hasty announcement: a security vulnerability was brought to my attention (many thanks to Akira Higuchi). Everyone running any previous version should upgrade to 1.6 immediately - the vulnerability may allow a remote exploit. No exploits are currently known and none have been observed in the wild till now. The danger is minimised if you run Pound in a root jail and/or you run Pound as non-root user.

Bug fixes and patches

There are some convenient patches.

* Pound-1.7

There are some problems in Pound-1.7.

(1) hung-up problem - 2004.03.30

When the Pound upgraded to 1.7 from 1.6, did not call poll() exactly at listening both HTTP and HTTPS port. So Pound seems to be going on hung up at receiving HTTP request.

If you write the following configuration at pound.cfg, an error occurs. e.g.

### Listen HTTP and HTTPS port
ListenHTTP  *,80
ListenHTTPS *,443  /etc/pound/server.pem

This is the bug of main() at "pound.c". Checking the value of "polls[n].revents" while working loop, but the variable of "n" is used temporarily. The variable of "n" might be destroyed at that time.

Download patch

This patch corrects calling poll().

How to apply patch?

Save the Pound-1.7-fix_poll.patch.

# wget http://namazu.org/~takesako/pound/Pound-1.7-fix_poll.patch
# tar zxvf Pound-1.7.tgz
# cd Pound-1.7
# patch -p1 < ../Pound-1.7-fix_poll.patch

* Pound-1.5

There are some problems in Pound-1.5.

(1) incorrect of URL matching - 2003.10.21

When the Pound upgraded to 1.5 from 1.4, gloval direcvites of URL matching such as 'CSsegment', 'CSparameter', 'CSqid', 'CSqval' and 'CSfragment' was added.

If you access the following URL via Pound-1.5, an error occurs.

  e.g.
  http://www.example.com/cgi-bin/printenv.cgi?
  http://www.example.com/cgi-bin/printenv.cgi?a=1&

It returns the following error message.

"501 Not Implemented"
This method may not be used. 

This is the bug of check_URL() at "http.c".

Download patch

This patch corrects URL matching of check_URL().

How to apply patch?

Save the Pound-1.5-fix_check_url.patch.

# wget http://namazu.org/~takesako/pound/Pound-1.5-fix_check_url.patch
# tar zxvf Pound-1.5.tgz
# cd Pound-1.5
# patch -p1 < ../Pound-1.5-fix_check_url.patch

Unit tests

This is a simple unit test program of fixed check_URL().

# gcc -o t01-check_url t01-check_url.c 
# ./t01-check_url 

Copyright (C) 2003-2004 Yoshinori TAKESAKO
return to top