You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2006/04/16 20:16:56 UTC

svn commit: r394533 - /httpd/httpd/dist/Announcement2.0.txt

Author: colm
Date: Sun Apr 16 11:16:53 2006
New Revision: 394533

URL: http://svn.apache.org/viewcvs?rev=394533&view=rev
Log:
Make a start on possible text for 2.0.56

Modified:
    httpd/httpd/dist/Announcement2.0.txt

Modified: httpd/httpd/dist/Announcement2.0.txt
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement2.0.txt?rev=394533&r1=394532&r2=394533&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.0.txt (original)
+++ httpd/httpd/dist/Announcement2.0.txt Sun Apr 16 11:16:53 2006
@@ -1,84 +1,52 @@
 
-                   Apache HTTP Server 2.0.55 Released
+                   Apache HTTP Server 2.0.56 Released
 
    The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the release of version 2.0.55 of the Apache HTTP
-   Server ("Apache").  This Announcement notes the significant changes
-   in 2.0.55 as compared to 2.0.54.  This Announcement2.0 document may 
-   also be available in multiple languages at:
+   pleased to announce the release of version 2.0.56 of the Apache HTTP
+   Server ("Apache").  This Announcement notes the significant changes in
+   2.0.56 as compared to 2.0.55.  This Announcement2.0 document may also be
+   available in multiple languages at:
 
         http://www.apache.org/dist/httpd/
 
-   This version of Apache is principally a security release.  The
-   following potential security flaws are addressed, the first three 
-   of which address several classes of HTTP Request and Response 
-   Splitting/Spoofing attacks;
+   This version of Apache is principally a bug and security fix release.
+   The following potential security flaws are addressed;
 
-   CAN-2005-2088 (cve.mitre.org)
+   CVE-2005-3357 (cve.mitre.org)
 
-     core: If a request contains both Transfer-Encoding and Content-Length
-     headers, remove the Content-Length.
+     mod_ssl: When configured with an SSL vhost with access control and a
+     custom error 400 error page, mod_ssl allows remote attackers to cause
+     a denial of service (application crash) via a non-SSL request to an
+     SSL port, which triggers a NULL pointer dereference.
 
-     proxy_http: Correctly handle the Transfer-Encoding and Content-Length
-     request headers.  Discard the request Content-Length whenever chunked
-     T-E is used, always passing one of either C-L or T-E chunked whenever 
-     the request includes a request body.
+   CVE-2005-3352 (cve.mitre.org)
 
-   Unassigned
-
-     proxy_http: If a response contains both Transfer-Encoding and a 
-     Content-Length, remove the Content-Length and don't reuse the
-     connection.
-
-   CAN-2005-2700 (cve.mitre.org)
-
-     mod_ssl: Fix a security issue where "SSLVerifyClient" was not
-     enforced in per-location context if "SSLVerifyClient optional"
-     was configured in the vhost configuration.
-
-   CAN-2005-2491 (cve.mitre.org)
- 
-     pcre: Fix integer overflows in PCRE in quantifier parsing which 
-     could be triggered by a local user through use of a carefully
-     crafted regex in an .htaccess file.
-
-   CAN-2005-2728 (cve.mitre.org)
-
-     Fix cases where the byterange filter would buffer responses
-     into memory.
-
-   CAN-2005-1268 (cve.mitre.org)
-
-     mod_ssl: Fix off-by-one overflow whilst printing CRL information
-     at "LogLevel debug" which could be triggered if configured 
-     to use a "malicious" CRL.
+     mod_imap: Cross-site scripting (XSS) vulnerability which allows remote
+     attackers to inject arbitrary web script or HTML via the Referer when
+     using image maps.
 
    The Apache HTTP Project thanks all of the reporters of these
    issues and vulnerabilities for the responsible reporting and
    thorough analysis of these vulnerabilities.
 
-   This release further addresses a number of cross-platform bugs,
-   as well as specific issues on OS/X 10.4, Win32, AIX, and across
-   all EBCDIC platforms, and adds compatibility with OpenSSL 0.9.8.
-
    This release is compatible with modules compiled for 2.0.42 and
    later versions.  We consider this release to be the best version
-   of Apache available and encourage users of all prior versions to
+   of Apache 2.0 available and encourage users of all prior versions to
    upgrade.
 
    This release includes the Apache Portable Runtime library suite
-   release version 0.9.7, bundled with the tar and zip distributions.
+   release version 0.9.12, bundled with the tar and zip distributions.
    These libraries; libapr, libaprutil, and on Win32, libapriconv must
    all be updated to ensure binary compatibility and address many
    known platform bugs.
 
-   Apache HTTP Server 2.0.55 is available for download from
+   Apache HTTP Server 2.0.56 is available for download from
 
      http://httpd.apache.org/download.cgi
 
    Please see the CHANGES_2.0 file, linked from the above page, for
-   a full list of changes.  A condensed list, CHANGES_2.0.55 provides
-   the complete list of changes since 2.0.54, including changes to 
+   a full list of changes.  A condensed list, CHANGES_2.0.56 provides
+   the complete list of changes since 2.0.55, including changes to 
    the APR suite of libraries.
 
    Apache 2.0 offers numerous enhancements, improvements, and performance