You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2011/09/14 08:21:20 UTC
svn commit: r401 - in /release/httpd: Announcement2.2.html
Announcement2.2.txt
Author: wrowe
Date: Wed Sep 14 06:21:18 2011
New Revision: 401
Log:
Announcement to be published
Modified:
release/httpd/Announcement2.2.html
release/httpd/Announcement2.2.txt
Modified: release/httpd/Announcement2.2.html
==============================================================================
--- release/httpd/Announcement2.2.html (original)
+++ release/httpd/Announcement2.2.html Wed Sep 14 06:21:18 2011
@@ -15,30 +15,43 @@
<img src="../../images/apache_sub.gif" alt="" />
<h1>
- Apache HTTP Server 2.2.20 Released
+ Apache HTTP Server 2.2.21 Released
</h1>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 2.2.20 of the Apache HTTP
+ pleased to announce the release of version 2.2.21 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security and bug fix
release:
</p>
<ul>
+<li>SECURITY: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3348">CVE-2011-3348</a> (cve.mitre.org)
+ mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
+ unrecognized HTTP methods from marking ajp: balancer members
+ in an error state, avoiding denial of service.
+</li>
<li>SECURITY: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192">CVE-2011-3192</a> (cve.mitre.org)
- core: Fix handling of byte-range requests to use less memory, to avoid
- denial of service. If the sum of all ranges in a request is larger than
- the original file, ignore the ranges and send the complete file.
- PR 51714.
+ core: Further fixes to the handling of byte-range requests to use
+ less memory, to avoid denial of service. This patch includes fixes
+ to the patch introduced in release 2.2.20 for protocol compliance,
+ as well as the MaxRanges directive.
</li>
</ul>
<p>
+ Note the further advisories on the state of CVE-2011-3192 will no longer
+ be broadcast, but will be kept up to date at;
+</p>
+<dl>
+ <dd><a href="http://httpd.apache.org/security/CVE-2011-3192.txt"
+ >http://httpd.apache.org/security/CVE-2011-3192.txt</a></dd>
+</dl>
+<p>
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
</p>
<p>
- Apache HTTP Server 2.2.20 is available for download from:
+ Apache HTTP Server 2.2.21 is available for download from:
</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi"
@@ -47,7 +60,7 @@
<p>
Please see the CHANGES_2.2 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.2.20 provides the
+ full list of changes. A condensed list, CHANGES_2.2.21 provides the
complete list of changes since 2.2.19. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available:
</p>
Modified: release/httpd/Announcement2.2.txt
==============================================================================
--- release/httpd/Announcement2.2.txt (original)
+++ release/httpd/Announcement2.2.txt Wed Sep 14 06:21:18 2011
@@ -1,25 +1,35 @@
- Apache HTTP Server 2.2.20 Released
+ Apache HTTP Server 2.2.21 Released
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 2.2.20 of the Apache HTTP
+ pleased to announce the release of version 2.2.21 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix release:
+ * SECURITY: CVE-2011-3348 (cve.mitre.org)
+ mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
+ unrecognized HTTP methods from marking ajp: balancer members
+ in an error state, avoiding denial of service.
+
* SECURITY: CVE-2011-3192 (cve.mitre.org)
- core: Fix handling of byte-range requests to use less memory, to avoid
- denial of service. If the sum of all ranges in a request is larger than
- the original file, ignore the ranges and send the complete file.
- PR 51714.
+ core: Further fixes to the handling of byte-range requests to use
+ less memory, to avoid denial of service. This patch includes fixes
+ to the patch introduced in release 2.2.20 for protocol compliance,
+ as well as the MaxRanges directive.
+
+ Note the further advisories on the state of CVE-2011-3192 will no longer
+ be broadcast, but will be kept up to date at;
+
+ http://httpd.apache.org/security/CVE-2011-3192.txt
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- Apache HTTP Server 2.2.20 is available for download from:
+ Apache HTTP Server 2.2.21 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.2.20 provides the
+ full list of changes. A condensed list, CHANGES_2.2.21 provides the
complete list of changes since 2.2.19. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available: