You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2011/05/21 21:15:49 UTC
svn commit: r325 - in /release/httpd: Announcement2.2.html
Announcement2.2.txt
Author: wrowe
Date: Sat May 21 19:15:48 2011
New Revision: 325
Log:
Announcement wording for tomorrow, tweaks welcomed
Modified:
release/httpd/Announcement2.2.html
release/httpd/Announcement2.2.txt
Modified: release/httpd/Announcement2.2.html
==============================================================================
--- release/httpd/Announcement2.2.html (original)
+++ release/httpd/Announcement2.2.html Sat May 21 19:15:48 2011
@@ -15,32 +15,40 @@
<img src="../../images/apache_sub.gif" alt="" />
<h1>
- Apache HTTP Server 2.2.18 Released
+ Apache HTTP Server 2.2.19 Released
</h1>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 2.2.18 of the Apache HTTP
+ pleased to announce the release of version 2.2.19 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a bug fix
- release, and a security fix release of the APR 1.4.4 dependency;
+ release, correcting regressions in the httpd 2.2.18 package, the use
+ of that previous 2.2.18 package is discouraged due to these flaws;
</p>
<ul>
-<li>SECURITY: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419">CVE-2011-0419:</a>
- apr_fnmatch flaw leads to mod_autoindex remote DoS<br />
- Where mod_autoindex is enabled, and a directory indexed by
- mod_autoindex contained files with sufficiently long names,
- a carefully crafted request may cause excessive CPU usage
- Upgrading to APR 1.4.4, or setting the 'IgnoreClient' option
- of the 'IndexOptions' directive circumvents this risk.
+<li>SECURITY: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1928">CVE-2011-1928</a> (cve.mitre.org)
+ A fix in bundled APR 1.4.4 apr_fnmatch() to address
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419">CVE-2011-0419</a>
+ introduced a new vulnerability. httpd workers enter a hung state
+ (100% cpu utilization) after updating to APR 1.4.4. Upgrading to
+ APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3
+ or prior with the 'IgnoreClient' option of the 'IndexOptions'
+ directive will circumvent both issues.
</li>
-
+<li>
+ httpd 2.2.18: The ap_unescape_url_keep2f() function signature was
+ inadvertantly changed. This breaks binary compatibility of a number
+ of third-party modules. This httpd-2.2.19 package restores the
+ function signature provided by 2.2.17 and prior.
+</li>
+</ul>
<p>
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
</p>
<p>
- Apache HTTP Server 2.2.18 is available for download from:
+ Apache HTTP Server 2.2.19 is available for download from:
</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi"
@@ -49,7 +57,7 @@
<p>
Please see the CHANGES_2.2 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.2.18 provides the
+ full list of changes. A condensed list, CHANGES_2.2.19 provides the
complete list of changes since 2.2.17. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available:
</p>
Modified: release/httpd/Announcement2.2.txt
==============================================================================
--- release/httpd/Announcement2.2.txt (original)
+++ release/httpd/Announcement2.2.txt Sat May 21 19:15:48 2011
@@ -1,27 +1,33 @@
- Apache HTTP Server 2.2.18 Released
+ Apache HTTP Server 2.2.19 Released
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 2.2.18 of the Apache HTTP
+ pleased to announce the release of version 2.2.19 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a bug fix
- release, and a security fix release of the APR 1.4.4 dependency;
+ release, correcting regressions in the httpd 2.2.18 package, the use
+ of that previous 2.2.18 package is discouraged due to these flaws;
- * SECURITY: CVE-2011-0419 (cve.mitre.org)
- apr_fnmatch flaw leads to mod_autoindex remote DoS
- Where mod_autoindex is enabled, and a directory indexed by
- mod_autoindex contained files with sufficiently long names,
- a carefully crafted request may cause excessive CPU usage
- Upgrading to APR 1.4.4, or setting the 'IgnoreClient' option
- of the 'IndexOptions' directive circumvents this risk.
+ * SECURITY: CVE-2011-1928 (cve.mitre.org)
+ A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419
+ introduced a new vulnerability. httpd workers enter a hung state
+ (100% cpu utilization) after updating to APR 1.4.4. Upgrading to
+ APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3
+ or prior with the 'IgnoreClient' option of the 'IndexOptions'
+ directive will circumvent both issues.
+
+ * httpd 2.2.18: The ap_unescape_url_keep2f() function signature was
+ inadvertantly changed. This breaks binary compatibility of a number
+ of third-party modules. This httpd-2.2.19 package restores the
+ function signature provided by 2.2.17 and prior.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- Apache HTTP Server 2.2.18 is available for download from:
+ Apache HTTP Server 2.2.19 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.2.18 provides the
+ full list of changes. A condensed list, CHANGES_2.2.19 provides the
complete list of changes since 2.2.17. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available: