You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2017/07/06 20:39:39 UTC

svn commit: r20353 - /dev/httpd/Announcement2.2.html

Author: wrowe
Date: Thu Jul  6 20:39:39 2017
New Revision: 20353

Log:
Not sure how I clobbered this text, but here's its restoration.

Modified:
    dev/httpd/Announcement2.2.html

Modified: dev/httpd/Announcement2.2.html
==============================================================================
--- dev/httpd/Announcement2.2.html (original)
+++ dev/httpd/Announcement2.2.html Thu Jul  6 20:39:39 2017
@@ -0,0 +1,161 @@
+||||||| .r77536
+<!DOCTYPE html>
+<html>
+<head>
+<title>Apache HTTP Server Project</title>
+<style type="text/css">
+  body {
+    background: white;
+    color: #111111;
+    font-family: Arial, Helvetica, sans-serif;
+    font-size: 18px;
+    margin-left: auto;
+    margin-right: auto;
+    padding-left: 8px;
+    padding-right: 8px;
+    max-width: 45em;
+  }
+
+  a {
+    color: blue;
+  }
+
+  a:visited {
+    color: #000080;
+  }
+
+  a:active {
+    color: red;
+  }
+
+  div.banner {
+    background: rgb(48, 69, 88);
+    margin-top: -28px;
+    margin-bottom: 1.5em;
+    height: 28px;
+  }
+
+  p, ul {
+    line-height: 1.3em;
+  }
+
+  li {
+    margin-bottom: 0.4em;
+  }
+</style>
+</head>
+
+<body>
+<img src="httpd_logo_wide_new.png" alt="" />
+<div class="banner"></div>
+
+<h1>
+                       Apache HTTP Server 2.2.33 Released
+</h1>
+<p>
+   June 27, 2017
+</p>
+<p>
+   The Apache Software Foundation and the Apache HTTP Server Project are
+   pleased to announce the release of version 2.2.33 of the Apache HTTP
+   Server ("Apache"). This version of Apache is principally a security
+   and bug fix maintenance release, and addresses these specific security
+   defects as well as other fixes;
+</p>
+<ul>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668">CVE-2017-7668</a>
+     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+     bug in token list parsing, which allows ap_find_token() to search past
+     the end of its input string. By maliciously crafting a sequence of
+     request headers, an attacker may be able to cause a segmentation fault,
+     or to force ap_find_token() to return an incorrect value.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169">CVE-2017-3169</a>
+     mod_ssl may dereference a NULL pointer when third-party modules call
+     ap_hook_process_connection() during an HTTP request to an HTTPS port.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167">CVE-2017-3167</a>
+     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+     authentication phase may lead to authentication requirements being
+     bypassed.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679">CVE-2017-7679</a>
+     Enforce HTTP request grammar corresponding to RFC7230 for request.
+     mod_mime can read one byte past the end of a buffer when sending a
+     malicious Content-Type response header.
+</li>
+</ul>
+<p>
+   We consider the Apache HTTP Server 2.4 release to be the best version
+   of Apache available, and now insist users of 2.2 and all prior versions
+   must upgrade. This 2.2 maintenance release is offered for those unable
+   to upgrade at this time; no further 2.2 maintenance releases will occur.
+</p>
+<p>
+   Some few serious or critical patches may be published for users to adopt
+   on their own for the remainder of 2017, any such fixes will be published to
+   <a href="http://www.apache.org/dist/httpd/patches/apply_to_2.2.33/"
+      >http://www.apache.org/dist/httpd/patches/apply_to_2.2.33/</a>
+   - however, by the end of 2017, security issues will no longer be formally
+   evaluated by the HTTP Server project for implications to the 2.2 branch.
+   Users are strongly advised to complete their migration to 2.4 already
+   to benefit from a much larger assortment of minor security and bug fixes,
+   new features, and all security advisories and guidance beyond 2017.
+</p>
+<p>
+   For further details of the recommended release, see:
+</p>
+<dl>
+  <dd><a href="http://www.apache.org/dist/httpd/Announcement2.4.html"
+              >http://www.apache.org/dist/httpd/Announcement2.4.html</a></dd>
+</dl>
+<p>
+   Apache HTTP Server 2.4 and 2.2.33 are available for download from:
+</p>
+<dl>
+  <dd><a href="http://httpd.apache.org/download.cgi"
+              >http://httpd.apache.org/download.cgi</a></dd>
+</dl>
+<p>
+   Please see the CHANGES_2.2 file, linked from the download page, for a
+   full list of changes. A condensed list, CHANGES_2.2.33 includes only
+   those changes introduced since the prior 2.2 release. A summary of all 
+   of the security vulnerabilities addressed in this and earlier releases 
+   is available:
+</p>
+<dl>
+  <dd><a href="http://httpd.apache.org/security/vulnerabilities_22.html"
+              >http://httpd.apache.org/security/vulnerabilities_22.html</a>
+  </dd>
+</dl>
+<p>
+   This release includes the Apache Portable Runtime (APR) version 1.5.2
+   and APR Utility Library (APR-util) version 1.5.4, bundled with the tar
+   and zip distributions. The APR libraries libapr and libaprutil (and
+   on Win32, libapriconv version 1.2.1) must all be updated to ensure
+   binary compatibility and address many known security and platform bugs.
+   APR version 1.5 and APR-util version 1.5 represent minor version upgrades
+   from earlier httpd 2.2 source distributions.
+</p>
+<p>
+   Note this package also includes very stale and known-vulnerable versions
+   of the Expat [<a href="http://expat.sourceforge.net/"
+        >http://expat.sourceforge.net/</a>] and PCRE [<a
+        href="http://www.pcre.org/">http://www.pcre.org/</a>]
+   packages. Users are strongly encouraged to first install the most recent
+   versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.)
+</p>
+<p>
+   This release builds on and extends the Apache 2.0 API and is superceeded
+   by the Apache 2.4 API. Modules written for Apache 2.0 or 2.4 will need
+   to be recompiled in order to run with Apache 2.2, and most will require
+   minimal or no source code changes.
+</p>
+<p>
+   When upgrading or installing this version of Apache, please bear in mind
+   that if you intend to use Apache with one of the threaded MPMs (other
+   than the Prefork MPM), you must ensure that any modules you will be
+   using (and the libraries they depend on) are thread-safe.
+</p>
+</body>
+</html>