You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2004/05/11 14:43:50 UTC
cvs commit: httpd-site/xdocs index.xml
jim 2004/05/11 05:43:50
Modified: docs index.html
xdocs index.xml
Log:
Getting more ready for 1.3.31
Revision Changes Path
1.74 +24 -13 httpd-site/docs/index.html
Index: index.html
===================================================================
RCS file: /home/cvs/httpd-site/docs/index.html,v
retrieving revision 1.73
retrieving revision 1.74
diff -u -r1.73 -r1.74
--- index.html 19 Mar 2004 21:51:20 -0000 1.73
+++ index.html 11 May 2004 12:43:49 -0000 1.74
@@ -94,21 +94,21 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="bugnotice"><strong>Important Bug Workaround for 2.0.48 and 1.3.29</strong></a>
+ <a name="bugnotice"><strong>Important Bug Workaround for 2.0.48 and 1.3.31</strong></a>
</font>
</td></tr>
<tr><td>
<blockquote>
<p>If you use mod_usertrack with the default
<a href="http://httpd.apache.org/docs-2.0/mod/mod_usertrack.html#cookiename">CookieName</a> (ie, there is no CookieName directive in your config file), then
-you will encounter a bug in 2.0.48 and 1.3.29.
+you will encounter a bug in 2.0.48 and 1.3.31.
</p>
<p>The patch that was added to these versions to help prevent false-positive
matches of the CookieName did not take into account this case, and therefore
the regular expression that is now used in the matching process will be NULL
if no CookieName directive was encountered.</p>
-<p>This problem will be fixed in both 2.0.49 and 1.3.30 when they are
-released. As a simple workaround in 2.0.48 and 1.3.29, simply add the
+<p>This problem has been fixed in both 2.0.49 and 1.3.31.
+As a simple workaround in 2.0.48 and 1.3.29, simply add the
line:
</p>
<p><b><code>CookieName Apache</code></b></p>
@@ -162,27 +162,38 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="1.3.29"><strong>Apache 1.3.29 Released</strong></a>
+ <a name="1.3.31"><strong>Apache 1.3.31 Released</strong></a>
</font>
</td></tr>
<tr><td>
<blockquote>
<p>The Apache Group is pleased to announce the <a href="http://www.apache.org/dist/httpd/Announcement.html">release of the
-1.3.29 version of the Apache HTTP Server</a>. (German translation
-<a href="http://www.apache.org/dist/httpd/Announcement.html.de">here</a>)
+1.3.31 version of the Apache HTTP Server</a>.
</p>
<p>This version of Apache is principally a security and bug fix
-release. Of particular note is that 1.3.29 addresses and fixes the
-following issue:</p>
-<p>A buffer overflow could occur in mod_alias and mod_rewrite when
- a regular expression with more than 9 captures is configured.<br />
- <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542">CAN-2003-0542</a>]</code></p>
+release. Of particular note is that 1.3.31 addresses and fixes the
+following 4 security related issues:</p>
+<p>In <code>mod_digest</code>, verify whether the nonce returned in the client
+ response is one we issued ourselves. This problem does not affect
+ <code>mod_auth_digest</code>.<br. />
+ <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">CAN-2003-0987 (cve.mitre.org)</a>]</code></p>
+<p>Escape arbitrary data before writing into the errorlog.<br />
+ <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020 (cve.mitre.org)</a>]</code></p>
+<p>Fix starvation issue on listening sockets where a short-lived
+ connection on a rarely-accessed listening socket will cause a
+ child to hold the accept mutex and block out new connections until
+ another connection arrives on that rarely-accessed listening socket.<br />
+ <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174">CAN-2004-0174 (cve.mitre.org)</a>]</code></p>
+<p>Fix parsing of Allow/Deny rules using IP addresses without a
+ netmask; issue is only known to affect big-endian 64-bit
+ platforms<br />
+ <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993">CAN-2003-0993 (cve.mitre.org)</a>]</code></p>
<p align="center">
<a href="download.cgi">Download</a> |
<a href="docs/windows.html">Apache for Win32</a> |
<a href="docs/new_features_1_3.html">New Features in Apache 1.3</a> |
-<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.29</a>
+<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.31</a>
</p>
</blockquote>
</td></tr>
1.54 +28 -14 httpd-site/xdocs/index.xml
Index: index.xml
===================================================================
RCS file: /home/cvs/httpd-site/xdocs/index.xml,v
retrieving revision 1.53
retrieving revision 1.54
diff -u -r1.53 -r1.54
--- index.xml 19 Mar 2004 21:51:20 -0000 1.53
+++ index.xml 11 May 2004 12:43:49 -0000 1.54
@@ -38,11 +38,11 @@
</section>
<section id="bugnotice">
-<title>Important Bug Workaround for 2.0.48 and 1.3.29</title>
+<title>Important Bug Workaround for 2.0.48 and 1.3.31</title>
<p>If you use mod_usertrack with the default
<a href="http://httpd.apache.org/docs-2.0/mod/mod_usertrack.html#cookiename">CookieName</a> (ie, there is no CookieName directive in your config file), then
-you will encounter a bug in 2.0.48 and 1.3.29.
+you will encounter a bug in 2.0.48 and 1.3.31.
</p>
<p>The patch that was added to these versions to help prevent false-positive
@@ -50,8 +50,8 @@
the regular expression that is now used in the matching process will be NULL
if no CookieName directive was encountered.</p>
-<p>This problem will be fixed in both 2.0.49 and 1.3.30 when they are
-released. As a simple workaround in 2.0.48 and 1.3.29, simply add the
+<p>This problem has been fixed in both 2.0.49 and 1.3.31.
+As a simple workaround in 2.0.48 and 1.3.29, simply add the
line:
</p>
@@ -107,29 +107,43 @@
</section>
-<section id="1.3.29">
-<title>Apache 1.3.29 Released</title>
+<section id="1.3.31">
+<title>Apache 1.3.31 Released</title>
<p>The Apache Group is pleased to announce the <a
href="http://www.apache.org/dist/httpd/Announcement.html">release of the
-1.3.29 version of the Apache HTTP Server</a>. (German translation
-<a href="http://www.apache.org/dist/httpd/Announcement.html.de">here</a>)
+1.3.31 version of the Apache HTTP Server</a>.
</p>
<p>This version of Apache is principally a security and bug fix
-release. Of particular note is that 1.3.29 addresses and fixes the
-following issue:</p>
+release. Of particular note is that 1.3.31 addresses and fixes the
+following 4 security related issues:</p>
-<p>A buffer overflow could occur in mod_alias and mod_rewrite when
- a regular expression with more than 9 captures is configured.<br />
- <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542">CAN-2003-0542</a>]</code></p>
+<p>In <code>mod_digest</code>, verify whether the nonce returned in the client
+ response is one we issued ourselves. This problem does not affect
+ <code>mod_auth_digest</code>.<br./>
+ <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">CAN-2003-0987 (cve.mitre.org)</a>]</code></p>
+
+<p>Escape arbitrary data before writing into the errorlog.<br/>
+ <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020 (cve.mitre.org)</a>]</code></p>
+
+<p>Fix starvation issue on listening sockets where a short-lived
+ connection on a rarely-accessed listening socket will cause a
+ child to hold the accept mutex and block out new connections until
+ another connection arrives on that rarely-accessed listening socket.<br/>
+ <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174">CAN-2004-0174 (cve.mitre.org)</a>]</code></p>
+
+<p>Fix parsing of Allow/Deny rules using IP addresses without a
+ netmask; issue is only known to affect big-endian 64-bit
+ platforms<br/>
+ <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993">CAN-2003-0993 (cve.mitre.org)</a>]</code></p>
<p align="center">
<a href="download.cgi">Download</a> |
<a href="docs/windows.html">Apache for Win32</a> |
<a href="docs/new_features_1_3.html">New Features in Apache 1.3</a> |
-<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.29</a>
+<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.31</a>
</p>
</section>