You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2006/04/16 20:16:56 UTC
svn commit: r394533 - /httpd/httpd/dist/Announcement2.0.txt
Author: colm
Date: Sun Apr 16 11:16:53 2006
New Revision: 394533
URL: http://svn.apache.org/viewcvs?rev=394533&view=rev
Log:
Make a start on possible text for 2.0.56
Modified:
httpd/httpd/dist/Announcement2.0.txt
Modified: httpd/httpd/dist/Announcement2.0.txt
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement2.0.txt?rev=394533&r1=394532&r2=394533&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.0.txt (original)
+++ httpd/httpd/dist/Announcement2.0.txt Sun Apr 16 11:16:53 2006
@@ -1,84 +1,52 @@
- Apache HTTP Server 2.0.55 Released
+ Apache HTTP Server 2.0.56 Released
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 2.0.55 of the Apache HTTP
- Server ("Apache"). This Announcement notes the significant changes
- in 2.0.55 as compared to 2.0.54. This Announcement2.0 document may
- also be available in multiple languages at:
+ pleased to announce the release of version 2.0.56 of the Apache HTTP
+ Server ("Apache"). This Announcement notes the significant changes in
+ 2.0.56 as compared to 2.0.55. This Announcement2.0 document may also be
+ available in multiple languages at:
http://www.apache.org/dist/httpd/
- This version of Apache is principally a security release. The
- following potential security flaws are addressed, the first three
- of which address several classes of HTTP Request and Response
- Splitting/Spoofing attacks;
+ This version of Apache is principally a bug and security fix release.
+ The following potential security flaws are addressed;
- CAN-2005-2088 (cve.mitre.org)
+ CVE-2005-3357 (cve.mitre.org)
- core: If a request contains both Transfer-Encoding and Content-Length
- headers, remove the Content-Length.
+ mod_ssl: When configured with an SSL vhost with access control and a
+ custom error 400 error page, mod_ssl allows remote attackers to cause
+ a denial of service (application crash) via a non-SSL request to an
+ SSL port, which triggers a NULL pointer dereference.
- proxy_http: Correctly handle the Transfer-Encoding and Content-Length
- request headers. Discard the request Content-Length whenever chunked
- T-E is used, always passing one of either C-L or T-E chunked whenever
- the request includes a request body.
+ CVE-2005-3352 (cve.mitre.org)
- Unassigned
-
- proxy_http: If a response contains both Transfer-Encoding and a
- Content-Length, remove the Content-Length and don't reuse the
- connection.
-
- CAN-2005-2700 (cve.mitre.org)
-
- mod_ssl: Fix a security issue where "SSLVerifyClient" was not
- enforced in per-location context if "SSLVerifyClient optional"
- was configured in the vhost configuration.
-
- CAN-2005-2491 (cve.mitre.org)
-
- pcre: Fix integer overflows in PCRE in quantifier parsing which
- could be triggered by a local user through use of a carefully
- crafted regex in an .htaccess file.
-
- CAN-2005-2728 (cve.mitre.org)
-
- Fix cases where the byterange filter would buffer responses
- into memory.
-
- CAN-2005-1268 (cve.mitre.org)
-
- mod_ssl: Fix off-by-one overflow whilst printing CRL information
- at "LogLevel debug" which could be triggered if configured
- to use a "malicious" CRL.
+ mod_imap: Cross-site scripting (XSS) vulnerability which allows remote
+ attackers to inject arbitrary web script or HTML via the Referer when
+ using image maps.
The Apache HTTP Project thanks all of the reporters of these
issues and vulnerabilities for the responsible reporting and
thorough analysis of these vulnerabilities.
- This release further addresses a number of cross-platform bugs,
- as well as specific issues on OS/X 10.4, Win32, AIX, and across
- all EBCDIC platforms, and adds compatibility with OpenSSL 0.9.8.
-
This release is compatible with modules compiled for 2.0.42 and
later versions. We consider this release to be the best version
- of Apache available and encourage users of all prior versions to
+ of Apache 2.0 available and encourage users of all prior versions to
upgrade.
This release includes the Apache Portable Runtime library suite
- release version 0.9.7, bundled with the tar and zip distributions.
+ release version 0.9.12, bundled with the tar and zip distributions.
These libraries; libapr, libaprutil, and on Win32, libapriconv must
all be updated to ensure binary compatibility and address many
known platform bugs.
- Apache HTTP Server 2.0.55 is available for download from
+ Apache HTTP Server 2.0.56 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
- a full list of changes. A condensed list, CHANGES_2.0.55 provides
- the complete list of changes since 2.0.54, including changes to
+ a full list of changes. A condensed list, CHANGES_2.0.56 provides
+ the complete list of changes since 2.0.55, including changes to
the APR suite of libraries.
Apache 2.0 offers numerous enhancements, improvements, and performance