You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2011/09/14 08:21:20 UTC

svn commit: r401 - in /release/httpd: Announcement2.2.html Announcement2.2.txt

Author: wrowe
Date: Wed Sep 14 06:21:18 2011
New Revision: 401

Log:
Announcement to be published

Modified:
    release/httpd/Announcement2.2.html
    release/httpd/Announcement2.2.txt

Modified: release/httpd/Announcement2.2.html
==============================================================================
--- release/httpd/Announcement2.2.html (original)
+++ release/httpd/Announcement2.2.html Wed Sep 14 06:21:18 2011
@@ -15,30 +15,43 @@
 <img src="../../images/apache_sub.gif" alt="" />
 
 <h1>
-                       Apache HTTP Server 2.2.20 Released
+                       Apache HTTP Server 2.2.21 Released
 </h1>
 
 <p>
    The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the release of version 2.2.20 of the Apache HTTP
+   pleased to announce the release of version 2.2.21 of the Apache HTTP
    Server ("Apache").  This version of Apache is principally a security and bug fix
    release:
 </p>
 <ul>
+<li>SECURITY: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3348">CVE-2011-3348</a> (cve.mitre.org)
+       mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
+       unrecognized HTTP methods from marking ajp: balancer members 
+       in an error state, avoiding denial of service.
+</li>
 <li>SECURITY: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192">CVE-2011-3192</a> (cve.mitre.org)
-       core: Fix handling of byte-range requests to use less memory, to avoid
-       denial of service. If the sum of all ranges in a request is larger than
-       the original file, ignore the ranges and send the complete file.
-       PR 51714.
+       core: Further fixes to the handling of byte-range requests to use
+       less memory, to avoid denial of service. This patch includes fixes
+       to the patch introduced in release 2.2.20 for protocol compliance,
+       as well as the MaxRanges directive.
 </li>
 </ul>
 <p>
+   Note the further advisories on the state of CVE-2011-3192 will no longer
+   be broadcast, but will be kept up to date at;
+</p>
+<dl>
+  <dd><a href="http://httpd.apache.org/security/CVE-2011-3192.txt"
+              >http://httpd.apache.org/security/CVE-2011-3192.txt</a></dd>
+</dl>
+<p>
    We consider this release to be the best version of Apache available, and
    encourage users of all prior versions to upgrade.
 </p>
 
 <p>
-   Apache HTTP Server 2.2.20 is available for download from:
+   Apache HTTP Server 2.2.21 is available for download from:
 </p>
 <dl>
   <dd><a href="http://httpd.apache.org/download.cgi"
@@ -47,7 +60,7 @@
 
 <p>
    Please see the CHANGES_2.2 file, linked from the download page, for a
-   full list of changes.  A condensed list, CHANGES_2.2.20 provides the
+   full list of changes.  A condensed list, CHANGES_2.2.21 provides the
    complete list of changes since 2.2.19.  A summary of all of the security
    vulnerabilities addressed in this and earlier releases is available:
 </p>

Modified: release/httpd/Announcement2.2.txt
==============================================================================
--- release/httpd/Announcement2.2.txt (original)
+++ release/httpd/Announcement2.2.txt Wed Sep 14 06:21:18 2011
@@ -1,25 +1,35 @@
-                       Apache HTTP Server 2.2.20 Released
+                       Apache HTTP Server 2.2.21 Released
 
    The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the release of version 2.2.20 of the Apache HTTP
+   pleased to announce the release of version 2.2.21 of the Apache HTTP
    Server ("Apache").  This version of Apache is principally a security
    and bug fix release:
 
+     * SECURITY: CVE-2011-3348 (cve.mitre.org)
+       mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
+       unrecognized HTTP methods from marking ajp: balancer members 
+       in an error state, avoiding denial of service.
+
      * SECURITY: CVE-2011-3192 (cve.mitre.org)
-       core: Fix handling of byte-range requests to use less memory, to avoid
-       denial of service. If the sum of all ranges in a request is larger than
-       the original file, ignore the ranges and send the complete file.
-       PR 51714.
+       core: Further fixes to the handling of byte-range requests to use
+       less memory, to avoid denial of service. This patch includes fixes
+       to the patch introduced in release 2.2.20 for protocol compliance,
+       as well as the MaxRanges directive.
+
+   Note the further advisories on the state of CVE-2011-3192 will no longer
+   be broadcast, but will be kept up to date at;
+
+     http://httpd.apache.org/security/CVE-2011-3192.txt
 
    We consider this release to be the best version of Apache available, and
    encourage users of all prior versions to upgrade.
 
-   Apache HTTP Server 2.2.20 is available for download from:
+   Apache HTTP Server 2.2.21 is available for download from:
 
      http://httpd.apache.org/download.cgi
 
    Please see the CHANGES_2.2 file, linked from the download page, for a
-   full list of changes.  A condensed list, CHANGES_2.2.20 provides the
+   full list of changes.  A condensed list, CHANGES_2.2.21 provides the
    complete list of changes since 2.2.19.  A summary of all of the security
    vulnerabilities addressed in this and earlier releases is available: