You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2017/07/06 20:39:39 UTC
svn commit: r20353 - /dev/httpd/Announcement2.2.html
Author: wrowe
Date: Thu Jul 6 20:39:39 2017
New Revision: 20353
Log:
Not sure how I clobbered this text, but here's its restoration.
Modified:
dev/httpd/Announcement2.2.html
Modified: dev/httpd/Announcement2.2.html
==============================================================================
--- dev/httpd/Announcement2.2.html (original)
+++ dev/httpd/Announcement2.2.html Thu Jul 6 20:39:39 2017
@@ -0,0 +1,161 @@
+||||||| .r77536
+<!DOCTYPE html>
+<html>
+<head>
+<title>Apache HTTP Server Project</title>
+<style type="text/css">
+ body {
+ background: white;
+ color: #111111;
+ font-family: Arial, Helvetica, sans-serif;
+ font-size: 18px;
+ margin-left: auto;
+ margin-right: auto;
+ padding-left: 8px;
+ padding-right: 8px;
+ max-width: 45em;
+ }
+
+ a {
+ color: blue;
+ }
+
+ a:visited {
+ color: #000080;
+ }
+
+ a:active {
+ color: red;
+ }
+
+ div.banner {
+ background: rgb(48, 69, 88);
+ margin-top: -28px;
+ margin-bottom: 1.5em;
+ height: 28px;
+ }
+
+ p, ul {
+ line-height: 1.3em;
+ }
+
+ li {
+ margin-bottom: 0.4em;
+ }
+</style>
+</head>
+
+<body>
+<img src="httpd_logo_wide_new.png" alt="" />
+<div class="banner"></div>
+
+<h1>
+ Apache HTTP Server 2.2.33 Released
+</h1>
+<p>
+ June 27, 2017
+</p>
+<p>
+ The Apache Software Foundation and the Apache HTTP Server Project are
+ pleased to announce the release of version 2.2.33 of the Apache HTTP
+ Server ("Apache"). This version of Apache is principally a security
+ and bug fix maintenance release, and addresses these specific security
+ defects as well as other fixes;
+</p>
+<ul>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668">CVE-2017-7668</a>
+ The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+ bug in token list parsing, which allows ap_find_token() to search past
+ the end of its input string. By maliciously crafting a sequence of
+ request headers, an attacker may be able to cause a segmentation fault,
+ or to force ap_find_token() to return an incorrect value.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169">CVE-2017-3169</a>
+ mod_ssl may dereference a NULL pointer when third-party modules call
+ ap_hook_process_connection() during an HTTP request to an HTTPS port.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167">CVE-2017-3167</a>
+ Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+ authentication phase may lead to authentication requirements being
+ bypassed.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679">CVE-2017-7679</a>
+ Enforce HTTP request grammar corresponding to RFC7230 for request.
+ mod_mime can read one byte past the end of a buffer when sending a
+ malicious Content-Type response header.
+</li>
+</ul>
+<p>
+ We consider the Apache HTTP Server 2.4 release to be the best version
+ of Apache available, and now insist users of 2.2 and all prior versions
+ must upgrade. This 2.2 maintenance release is offered for those unable
+ to upgrade at this time; no further 2.2 maintenance releases will occur.
+</p>
+<p>
+ Some few serious or critical patches may be published for users to adopt
+ on their own for the remainder of 2017, any such fixes will be published to
+ <a href="http://www.apache.org/dist/httpd/patches/apply_to_2.2.33/"
+ >http://www.apache.org/dist/httpd/patches/apply_to_2.2.33/</a>
+ - however, by the end of 2017, security issues will no longer be formally
+ evaluated by the HTTP Server project for implications to the 2.2 branch.
+ Users are strongly advised to complete their migration to 2.4 already
+ to benefit from a much larger assortment of minor security and bug fixes,
+ new features, and all security advisories and guidance beyond 2017.
+</p>
+<p>
+ For further details of the recommended release, see:
+</p>
+<dl>
+ <dd><a href="http://www.apache.org/dist/httpd/Announcement2.4.html"
+ >http://www.apache.org/dist/httpd/Announcement2.4.html</a></dd>
+</dl>
+<p>
+ Apache HTTP Server 2.4 and 2.2.33 are available for download from:
+</p>
+<dl>
+ <dd><a href="http://httpd.apache.org/download.cgi"
+ >http://httpd.apache.org/download.cgi</a></dd>
+</dl>
+<p>
+ Please see the CHANGES_2.2 file, linked from the download page, for a
+ full list of changes. A condensed list, CHANGES_2.2.33 includes only
+ those changes introduced since the prior 2.2 release. A summary of all
+ of the security vulnerabilities addressed in this and earlier releases
+ is available:
+</p>
+<dl>
+ <dd><a href="http://httpd.apache.org/security/vulnerabilities_22.html"
+ >http://httpd.apache.org/security/vulnerabilities_22.html</a>
+ </dd>
+</dl>
+<p>
+ This release includes the Apache Portable Runtime (APR) version 1.5.2
+ and APR Utility Library (APR-util) version 1.5.4, bundled with the tar
+ and zip distributions. The APR libraries libapr and libaprutil (and
+ on Win32, libapriconv version 1.2.1) must all be updated to ensure
+ binary compatibility and address many known security and platform bugs.
+ APR version 1.5 and APR-util version 1.5 represent minor version upgrades
+ from earlier httpd 2.2 source distributions.
+</p>
+<p>
+ Note this package also includes very stale and known-vulnerable versions
+ of the Expat [<a href="http://expat.sourceforge.net/"
+ >http://expat.sourceforge.net/</a>] and PCRE [<a
+ href="http://www.pcre.org/">http://www.pcre.org/</a>]
+ packages. Users are strongly encouraged to first install the most recent
+ versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.)
+</p>
+<p>
+ This release builds on and extends the Apache 2.0 API and is superceeded
+ by the Apache 2.4 API. Modules written for Apache 2.0 or 2.4 will need
+ to be recompiled in order to run with Apache 2.2, and most will require
+ minimal or no source code changes.
+</p>
+<p>
+ When upgrading or installing this version of Apache, please bear in mind
+ that if you intend to use Apache with one of the threaded MPMs (other
+ than the Prefork MPM), you must ensure that any modules you will be
+ using (and the libraries they depend on) are thread-safe.
+</p>
+</body>
+</html>