You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2013/11/16 19:21:10 UTC
svn commit: r3537 - /release/httpd/
Author: jim
Date: Sat Nov 16 18:21:05 2013
New Revision: 3537
Log:
Push 2.2.26 artifacts to mirrors
Added:
release/httpd/CHANGES_2.2.26
release/httpd/httpd-2.2.26.tar.bz2 (with props)
release/httpd/httpd-2.2.26.tar.bz2.asc (with props)
release/httpd/httpd-2.2.26.tar.bz2.md5
release/httpd/httpd-2.2.26.tar.bz2.sha1
release/httpd/httpd-2.2.26.tar.gz (with props)
release/httpd/httpd-2.2.26.tar.gz.asc (with props)
release/httpd/httpd-2.2.26.tar.gz.md5
release/httpd/httpd-2.2.26.tar.gz.sha1
Modified:
release/httpd/Announcement2.2.html
release/httpd/Announcement2.2.txt
release/httpd/CHANGES_2.2
Modified: release/httpd/Announcement2.2.html
==============================================================================
--- release/httpd/Announcement2.2.html (original)
+++ release/httpd/Announcement2.2.html Sat Nov 16 18:21:05 2013
@@ -15,51 +15,26 @@
<img src="../../images/apache_sub.gif" alt="" />
<h1>
- Apache HTTP Server 2.2.25 Released
+ Apache HTTP Server 2.2.26 Released
</h1>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 2.2.25 of the Apache HTTP
- Server ("Apache"). This version of Apache is principally a security
- and bug fix legacy release, including the following security fixes:
-</p>
-<ul>
- <li>SECURITY: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896">CVE-2013-1896</a> (cve.mitre.org)
- mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn
- with the source href (sent as part of the request body as XML) pointing
- to a URI that is not configured for DAV will trigger a segfault.
- </li>
- <li>SECURITY: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862">CVE-2013-1862</a> (cve.mitre.org)
- mod_rewrite: Ensure that client data written to the RewriteLog is
- escaped to prevent terminal escape sequences from entering the
- log file.
- </li>
-</ul>
-<p>
- The Apache HTTP Project thanks Ben Riser and Ramiro Molina for bringing
- these issues to the attention of the project security team.
-</p>
-<p>
- Errata: the build is known to fail against OpenSSL when that library
- is built to provide no SSLv2 support whatsoever. The following patch
- will successfully build httpd 2.2.25 against such OpenSSL installations:
-<dl>
- <dd><a href="http://svn.apache.org/viewvc?view=revision&revision=1501712"
- >http://svn.apache.org/viewvc?view=revision&revision=1501712</a></dd>
-</dl>
+ pleased to announce the release of version 2.2.26 of the Apache HTTP
+ Server ("Apache"). This version of Apache is principally a bug fix
+ maintenance release.
</p>
<p>
We consider the Apache HTTP Server 2.4 release to be the best version
of Apache available, and encourage users of 2.2 and all prior versions
- to upgrade. This 2.2 legacy release is offered for those unable to
- upgrade at this time. For further details, see:
+ to upgrade. This 2.2 maintenance release is offered for those unable
+ to upgrade at this time. For further details, see:
<dl>
<dd><a href="http://www.apache.org/dist/httpd/Announcement2.4.html"
>http://www.apache.org/dist/httpd/Announcement2.4.html</a></dd>
</dl>
</p>
<p>
- Apache HTTP Server 2.4 and 2.2.25 are available for download from:
+ Apache HTTP Server 2.4 and 2.2.26 are available for download from:
</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi"
@@ -67,7 +42,7 @@
</dl>
<p>
Please see the CHANGES_2.2 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.2.25 includes only
+ full list of changes. A condensed list, CHANGES_2.2.26 includes only
those changes introduced since the prior 2.2 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
Modified: release/httpd/Announcement2.2.txt
==============================================================================
--- release/httpd/Announcement2.2.txt (original)
+++ release/httpd/Announcement2.2.txt Sat Nov 16 18:21:05 2013
@@ -1,42 +1,23 @@
- Apache HTTP Server 2.2.25 Released
+ Apache HTTP Server 2.2.26 Released
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 2.2.25 of the Apache HTTP
- Server ("Apache"). This version of Apache is principally a security
- and bug fix legacy release, including the following security fixes:
-
- * SECURITY: CVE-2013-1896 (cve.mitre.org)
- mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn
- with the source href (sent as part of the request body as XML) pointing
- to a URI that is not configured for DAV will trigger a segfault.
-
- * SECURITY: CVE-2013-1862 (cve.mitre.org)
- mod_rewrite: Ensure that client data written to the RewriteLog is
- escaped to prevent terminal escape sequences from entering the
- log file.
-
- The Apache HTTP Project thanks Ben Riser and Ramiro Molina for bringing
- these issues to the attention of the project security team.
-
- Errata: the build is known to fail against OpenSSL when that library
- is built to provide no SSLv2 support whatsoever. The following patch
- will successfully build httpd 2.2.25 against such OpenSSL installations:
-
- http://svn.apache.org/viewvc?view=revision&revision=1501712
+ pleased to announce the release of version 2.2.26 of the Apache HTTP
+ Server ("Apache"). This version of Apache is principally a bug fix
+ maintenance release.
We consider the Apache HTTP Server 2.4 release to be the best version
of Apache available, and encourage users of 2.2 and all prior versions
- to upgrade. This 2.2 legacy release is offered for those unable to
- upgrade at this time. For further details, see:
+ to upgrade. This 2.2 maintenance release is offered for those unable
+ to upgrade at this time. For further details, see:
http://www.apache.org/dist/httpd/Announcement2.4.txt
- Apache HTTP Server 2.4 and 2.2.25 are available for download from:
+ Apache HTTP Server 2.4 and 2.2.26 are available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.2.25 includes only
+ full list of changes. A condensed list, CHANGES_2.2.26 includes only
those changes introduced since the prior 2.2 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
Modified: release/httpd/CHANGES_2.2
==============================================================================
--- release/httpd/CHANGES_2.2 (original)
+++ release/httpd/CHANGES_2.2 Sat Nov 16 18:21:05 2013
@@ -1,4 +1,30 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.2.26
+
+ *) mod_dav: dav_resource->uri treated as unencoded. This was an
+ unnecessary ABI changed introduced in 2.2.25 PR 55397. [Ben Reser]
+
+ *) mod_dav: Do not validate locks against parent collection of COPY
+ source URI. PR 55304. [Ben Reser]
+
+ *) mod_ssl: Check SNI hostname against Host header case-insensitively.
+ PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>]
+
+ *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
+ OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme,
+ Stefan Fritsch]
+
+ *) mod_ssl: Change default for SSLCompression to off, as compression
+ causes security issues in most setups. (The so called "CRIME" attack).
+ [Stefan Fritsch]
+
+ *) mod_ssl: Fix compilation error when OpenSSL does not contain
+ support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
+ [Rainer Jung, Kaspar Brand]
+
+ *) mod_dav: Fix double encoding of URIs in XML and Location header (caused
+ by unintential ABI change in 2.2.25). PR 55397. [Ben Reser]
+
Changes with Apache 2.2.25
*) SECURITY: CVE-2013-1896 (cve.mitre.org)
Added: release/httpd/CHANGES_2.2.26
==============================================================================
--- release/httpd/CHANGES_2.2.26 (added)
+++ release/httpd/CHANGES_2.2.26 Sat Nov 16 18:21:05 2013
@@ -0,0 +1,35 @@
+ -*- coding: utf-8 -*-
+Changes with Apache 2.2.26
+
+ *) mod_dav: dav_resource->uri treated as unencoded. This was an
+ unnecessary ABI changed introduced in 2.2.25 PR 55397. [Ben Reser]
+
+ *) mod_dav: Do not validate locks against parent collection of COPY
+ source URI. PR 55304. [Ben Reser]
+
+ *) mod_ssl: Check SNI hostname against Host header case-insensitively.
+ PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>]
+
+ *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
+ OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme,
+ Stefan Fritsch]
+
+ *) mod_ssl: Change default for SSLCompression to off, as compression
+ causes security issues in most setups. (The so called "CRIME" attack).
+ [Stefan Fritsch]
+
+ *) mod_ssl: Fix compilation error when OpenSSL does not contain
+ support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
+ [Rainer Jung, Kaspar Brand]
+
+ *) mod_dav: Fix double encoding of URIs in XML and Location header (caused
+ by unintential ABI change in 2.2.25). PR 55397. [Ben Reser]
+
+
+ [Apache 2.1.0-dev includes those bug fixes and changes with the
+ Apache 2.0.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.0.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
+
Added: release/httpd/httpd-2.2.26.tar.bz2
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.2.26.tar.bz2
------------------------------------------------------------------------------
svn:mime-type = application/x-bzip2
Added: release/httpd/httpd-2.2.26.tar.bz2.asc
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.2.26.tar.bz2.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: release/httpd/httpd-2.2.26.tar.bz2.md5
==============================================================================
--- release/httpd/httpd-2.2.26.tar.bz2.md5 (added)
+++ release/httpd/httpd-2.2.26.tar.bz2.md5 Sat Nov 16 18:21:05 2013
@@ -0,0 +1 @@
+254eda547f8d624604e4bf403241e617 *httpd-2.2.26.tar.bz2
Added: release/httpd/httpd-2.2.26.tar.bz2.sha1
==============================================================================
--- release/httpd/httpd-2.2.26.tar.bz2.sha1 (added)
+++ release/httpd/httpd-2.2.26.tar.bz2.sha1 Sat Nov 16 18:21:05 2013
@@ -0,0 +1 @@
+ecfa7dab239ef177668ad1d5cf9d03c4602607b8 *httpd-2.2.26.tar.bz2
Added: release/httpd/httpd-2.2.26.tar.gz
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.2.26.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/x-gzip
Added: release/httpd/httpd-2.2.26.tar.gz.asc
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/httpd-2.2.26.tar.gz.asc
------------------------------------------------------------------------------
svn:mime-type = application/pgp-signature
Added: release/httpd/httpd-2.2.26.tar.gz.md5
==============================================================================
--- release/httpd/httpd-2.2.26.tar.gz.md5 (added)
+++ release/httpd/httpd-2.2.26.tar.gz.md5 Sat Nov 16 18:21:05 2013
@@ -0,0 +1 @@
+8f580ea4f8476d5fb131b772beca33b2 *httpd-2.2.26.tar.gz
Added: release/httpd/httpd-2.2.26.tar.gz.sha1
==============================================================================
--- release/httpd/httpd-2.2.26.tar.gz.sha1 (added)
+++ release/httpd/httpd-2.2.26.tar.gz.sha1 Sat Nov 16 18:21:05 2013
@@ -0,0 +1 @@
+dae47436517917b95f7ad58b33de1e6ff2471cae *httpd-2.2.26.tar.gz