You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jw...@apache.org on 2002/08/09 22:04:28 UTC
cvs commit: httpd-dist Announcement2.html
jwoolley 2002/08/09 13:04:28
Modified: . Announcement2.html
Log:
entity escaping
Revision Changes Path
1.23 +22 -22 httpd-dist/Announcement2.html
Index: Announcement2.html
===================================================================
RCS file: /home/cvs/httpd-dist/Announcement2.html,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -d -u -r1.22 -r1.23
--- Announcement2.html 9 Aug 2002 19:17:53 -0000 1.22
+++ Announcement2.html 9 Aug 2002 20:04:28 -0000 1.23
@@ -27,9 +27,9 @@
CAN-2002-0661</a> and the pair of path exposures in
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0654">
CAN-2002-0654</a> (mitre.org).
-We would like to thank Auriemma Luigi <bu...@sitoverde.com> for
+We would like to thank Auriemma Luigi <bugtest@sitoverde.com> for
discovering and reporting the vulnerability and one of the path exposures
-and Jim Race <jr...@qualys.com> for reporting the other path exposure.</p>
+and Jim Race <jrace@qualys.com> for reporting the other path exposure.</p>
<p>Apache 2.0 offers numerous enhancements, improvements and performance
boosts over the 1.3 codebase. The most visible and noteworthy addition
@@ -74,37 +74,37 @@
the vulnerability. Add the following directive in the global server
httpd.conf context before any other Alias or Redirect directives:
RedirectMatch 400 "\\\.\."
- Reported by Auriemma Luigi <bu...@sitoverde.com>.
+ Reported by Auriemma Luigi <bugtest@sitoverde.com>.
[Brad Nicholes]
*) SECURITY: Close a path-revealing exposure in multiview type
map negotiation (such as the default error documents) where the
module would report the full path of the typemapped .var file when
multiple documents or no documents could be served based on the mime
- negotiation. Reported by Auriemma Luigi <bu...@sitoverde.com>.
+ negotiation. Reported by Auriemma Luigi <bugtest@sitoverde.com>.
[CAN-2002-0654] [William Rowe]
*) SECURITY: Close a path-revealing exposure in cgi/cgid when we
fail to invoke a script. The modules would report "couldn't create
child process /path-to-script/script.pl" revealing the full path
- of the script. Reported by Jim Race <jr...@qualys.com>.
+ of the script. Reported by Jim Race <jrace@qualys.com>.
[CAN-2002-0654] [Bill Stoddard]
*) Set aside the apr-iconv and apr_xlate() features for the Win32
build of 2.0.40 so development can be completed. A patch, from
- <http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
+ <http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
will be available for those that wish to work with apr-iconv.
[William Rowe]
*) Fix proxy so that it is possible to access ftp: URLs via a proxy
- chain. [Peter Van Biesen <pe...@vlafo.be>]
+ chain. [Peter Van Biesen <peter.vanbiesen@vlafo.be>]
*) mod-deflate now checks to make sure that 'gzip-only-text/html' is
set to 1, so we can exclude things from the general case with
- browsermatch. [Ian Holsman, Andre Schild <A....@aarboard.ch>]
+ browsermatch. [Ian Holsman, Andre Schild <A.Schild@aarboard.ch>]
*) Accept multiple leading /'s for requests within the DocumentRoot.
- PR 10946 [William Rowe, David Shane Holden <dp...@yahoo.com>]
+ PR 10946 [William Rowe, David Shane Holden <dpejesh@yahoo.com>]
*) Solved the reports of .pdf byterange failures on Win32 alone.
APR's sendfile for the win32 platform collapses header and trailer
@@ -117,7 +117,7 @@
type other than AP_FTYPE_RESOURCE. [Jeff Trawick]
*) Restore the ability to specify host names on Listen directives.
- PR 11030. [Jeff Trawick, David Shane Holden <dp...@yahoo.com>]
+ PR 11030. [Jeff Trawick, David Shane Holden <dpejesh@yahoo.com>]
*) When deciding on the default address family for listening sockets,
make sure we can actually bind to an AF_INET6 socket before
@@ -127,7 +127,7 @@
*) Replace usage of atol() to parse strings when we might want a
larger-than-long value with apr_atoll(), which returns long long.
This allows HTTPD to deal with larger files correctly.
- [Shantonu Sen <ss...@apple.com>]
+ [Shantonu Sen <ssen@apple.com>]
*) mod_ext_filter: Ignore any content-type parameters when checking if
the response should be filtered. Previously, "intype=text/html"
@@ -135,35 +135,35 @@
[Jeff Trawick]
*) mod_ext_filter: Set up environment variables for external programs.
- [Craig Sebenik <cr...@netapp.com>]
+ [Craig Sebenik <craig@netapp.com>]
*) Modified the HTTP_IN filter to immediately append the EOS (end of
stream) bucket for C-L POST bodies, saving a roundtrip and allowing
the caller to determine that no content remains without prefetching
additional POST body. [William Rowe]
- *) Get proxy ftp to work over IPv6. [Shoichi Sakane <sa...@kame.net>]
+ *) Get proxy ftp to work over IPv6. [Shoichi Sakane <sakane@kame.net>]
- *) Look for OpenSSL libraries in /usr/lib64. [Peter Poeml <po...@suse.de>]
+ *) Look for OpenSSL libraries in /usr/lib64. [Peter Poeml <poeml@suse.de>]
- *) Update SuSE layout. [Peter Poeml <po...@suse.de>]
+ *) Update SuSE layout. [Peter Poeml <poeml@suse.de>]
*) Changes to the internationalized error documents:
Comment them out in the default config file to make the default
install as simple as possible; Correct the english 500 error to
be more understandable; Add a Swedish translation.
- [Thomas Sjogren <th...@northernsecurity.net>,
- Erik Abele <er...@codefaktor.de>, Rich Bowen, Joshua Slive]
+ [Thomas Sjogren <thomas@northernsecurity.net>,
+ Erik Abele <erik@codefaktor.de>, Rich Bowen, Joshua Slive]
*) Increase the limit on file descriptors per process in apachectl.
[Brian Pane]
*) Fix a dependency error when building ApacheMonitor, so that Win32
and MSVC now trust that the project is current (when it is).
- [James Cox <im...@php.net>]
+ [James Cox <imajes@php.net>]
*) mod_ext_filter: don't segfault if content-type is not set. PR 10617.
- [Arthur P. Smith <ap...@aps.org>, Jeff Trawick]
+ [Arthur P. Smith <apsmith@aps.org>, Jeff Trawick]
*) APR-Util Renames pending have been completed [Thom May]
@@ -194,7 +194,7 @@
*) Fix infinite loop due to two HTTP_IN filters being present for
internally redirected requests. PR 10146. [Justin Erenkrantz]
- *) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
+ *) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
[Justin Erenkrantz]
*) Fix mod_ext_filter to look in the main server for filter definitions
@@ -209,7 +209,7 @@
[William Rowe]
*) Normalize the hostname value in the request_rec to all-lowercase
- [Perry Harrington <pe...@webcom.com>]
+ [Perry Harrington <pedward@webcom.com>]
*) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
extended characters (non US-ASCII) in non-utf8 format. This brings
@@ -225,7 +225,7 @@
[Bill Stoddard]
*) mod_rewrite can now set cookies (RewriteRule (.*) - [CO=name:$1:.domain])
- [Brian Degenhardt <bm...@mp3.com>, Ian Holsman]
+ [Brian Degenhardt <bmd@mp3.com>, Ian Holsman]
*) Fix perchild to work with apachectl by adding -k support to perchild.
PR 10074 [Jeff Trawick]