You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2017/10/05 18:41:33 UTC
svn commit: r22133 - in /release/httpd: Announcement2.4.html
Announcement2.4.txt CURRENT-IS-2.4.27 CURRENT-IS-2.4.28
Author: wrowe
Date: Thu Oct 5 18:41:33 2017
New Revision: 22133
Log:
Prepare for announce
Added:
release/httpd/CURRENT-IS-2.4.28
- copied unchanged from r22132, release/httpd/CURRENT-IS-2.4.27
Removed:
release/httpd/CURRENT-IS-2.4.27
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Thu Oct 5 18:41:33 2017
@@ -49,28 +49,27 @@
<div class="banner"></div>
<h1>
- Apache HTTP Server 2.4.27 Released
+ Apache HTTP Server 2.4.28 Released
</h1>
<p>
- July 11, 2017
+ October 5, 2017
</p>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to <a href="https://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
- the release of version 2.4.27 of the Apache
+ the release of version 2.4.28 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a security, feature, and bug fix release. Users are encouraged
- to upgrade as soon as possible.
+ a security, feature, and bug fix release.
</p>
<p>
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
</p>
<p>
- Apache HTTP Server 2.4.27 is available for download from:
+ Apache HTTP Server 2.4.28 is available for download from:
</p>
<dl>
<dd><a href="https://httpd.apache.org/download.cgi"
@@ -78,7 +77,7 @@
</dl>
<p>
Please see the <a href="./CHANGES_2.4">CHANGES_2.4</a> file, linked from the download page, for a
- full list of changes. A condensed list, <a href="./CHANGES_2.4.27">CHANGES_2.4.27</a> includes only
+ full list of changes. A condensed list, <a href="./CHANGES_2.4.28">CHANGES_2.4.28</a> includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
@@ -89,13 +88,15 @@
</dd>
</dl>
<p>
- Of particular note in this release are 3 COMPATIBILITY items:
+ Of particular note in this release is 1 SECURITY item:
</p>
<ul>
- <li>HTTP/2 will not be negotiated when using the Prefork MPM</li>
- <li>FastCGI compatibility with PHP-FPM is fixed</li>
- <li>mod_lua no longer exports the undocumented and unsupported
- <code>apr_table</code> variable.</li>
+ <li>SECURITY: CVE-2017-9798 (cve.mitre.org)<br/>
+ Corrupted or freed memory access. <Limit[Except]> or the
+ RegisterHttpMethod directive must be given in the startup
+ configuration (httpd.conf) to register non-standard HTTP methods
+ before listing them in an .htaccess files.
+</li>
</ul>
<p>
This release requires the Apache Portable Runtime (APR), minimum version
@@ -129,13 +130,13 @@ href="https://svn.apache.org/repos/asf/h
using (and the libraries they depend on) are thread-safe.
</p>
<p>
- Please note that Apache Web Server Project will only provide maintenance
- releases of the 2.2.x flavor through June of 2017, and will provide some
- security patches beyond this date through at least December of 2017.
- Minimal maintenance patches of 2.2.x are expected throughout this period,
- and users are strongly encouraged to promptly complete their transitions
- to the the 2.4.x flavor of httpd to benefit from a much larger assortment
- of minor security and bug fixes as well as new features.
+ Please note that while the Apache HTTP Server Project may publish some
+ security patches to the 2.2.x flavor through at least December of 2017,
+ no further maintenance patches of 2.2.x will be considered and no further
+ releases will be distributed. The 2.2.x branch has now reached the end of
+ its maintenance, and users are strongly encouraged to promptly complete
+ their transitions to this 2.4.x flavor of httpd to benefit from security
+ and bug fixes, as well as new features.
</p>
</body>
</html>
Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Thu Oct 5 18:41:33 2017
@@ -1,20 +1,19 @@
- Apache HTTP Server 2.4.27 Released
+ Apache HTTP Server 2.4.28 Released
- July 11, 2017
+ October 5, 2017
The Apache Software Foundation and the Apache HTTP Server Project
- are pleased to announce the release of version 2.4.27 of the Apache
+ are pleased to announce the release of version 2.4.28 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a security, feature, and bug fix release. Users are encouraged
- to upgrade as soon as possible.
+ a security, feature, and bug fix release.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- Apache HTTP Server 2.4.27 is available for download from:
+ Apache HTTP Server 2.4.28 is available for download from:
http://httpd.apache.org/download.cgi
@@ -25,19 +24,20 @@
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.27 includes only
+ full list of changes. A condensed list, CHANGES_2.4.28 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_24.html
- Of particular note in this release are 3 COMPATIBILITY items:
+ Of particular note in this release is 1 SECURITY item:
- o HTTP/2 will not be negotiated when using the Prefork MPM
- o FastCGI compatibility with PHP-FPM is fixed
- o mod_lua no longer exports the undocumented and unsupported
- 'apr_table' variable.
+ o SECURITY: CVE-2017-9798 (cve.mitre.org)
+ Corrupted or freed memory access. <Limit[Except] > or the
+ RegisterHttpMethod directive must be given in the startup
+ configuration (httpd.conf) to register non-standard HTTP methods
+ before listing them in an .htaccess files.
This release requires the Apache Portable Runtime (APR), minimum
version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
@@ -55,10 +55,11 @@
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
- Please note that Apache Web Server Project will only provide maintenance
- releases of the 2.2.x flavor through June of 2017, and will provide some
- security patches beyond this date through at least December of 2017.
- Minimal maintenance patches of 2.2.x are expected throughout this period,
- and users are strongly encouraged to promptly complete their transitions
- to the the 2.4.x flavor of httpd to benefit from a much larger assortment
- of minor security and bug fixes as well as new features.
+ Please note that while the Apache HTTP Server Project may publish some
+ security patches to the 2.2.x flavor through at least December of 2017,
+ no further maintenance patches of 2.2.x will be considered and no further
+ releases will be distributed. The 2.2.x branch has now reached the end of
+ its maintenance, and users are strongly encouraged to promptly complete
+ their transitions to this 2.4.x flavor of httpd to benefit from security
+ and bug fixes, as well as new features.
+