You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Marc Slemko <ma...@znep.com> on 1998/01/05 03:34:25 UTC
announcement for 1.2
Below is my proposal for the announcement of the 1.2.5 release. Comments
welcome.
Note that a security advisory will be distributed seperately, which
goes into more detail on the security issues.
----------------------------------------------------------------------
Apache 1.2.5 Released
---------------------
The Apache Group is pleased to announce the release of the
latest version of the Apache web server, version 1.2.5.
This is a bugfix release containing minimal changes from
the previous version, 1.2.4. The main changes are a number of
fixes for possible security issues that have been discovered during
a security review of the Apache source code. While this release
was being prepared, an additional denial of service attack was
reported by a user. A patch for this is also included.
This is a pro-active release designed to help ensure that users of
Apache can be confident in the ongoing security of their webserver.
Full details of the security fixes are available in the separate
security advisory, available at http://www.apache.org/XXXXX
Apache has been the most popular web server on the Internet since
April of 1996. The January 1998 WWW server site survey by Netcraft
(see: http://www.netcraft.co.uk/Survey/) found that more web
servers are using Apache than all other software combined; Apache
and its derivatives are run on over 50% of all web domains on the
Internet.
Included below is a summary of changes between 1.2.4 and 1.2.5, as it
appears in the CHANGES file in the "src" subdirectory in the release.
Changes with Apache 1.2.5
*) SECURITY: Fix a possible buffer overflow in logresolve. This is
only an issue on systems without a MAXDNAME define or where
the resolver returns domain names longer than MAXDNAME. [Marc Slemko]
*) Fix an improper length in an ap_snprintf call in proxy_date_canon().
[Marc Slemko]
*) Fix core dump in the ftp proxy when reading incorrectly formatted
directory listings. [Marc Slemko]
*) SECURITY: Fix possible minor buffer overflow in the proxy cache.
[Marc Slemko]
*) SECURITY: Eliminate possible buffer overflow in cfg_getline, which
is used to read various types of files such as htaccess and
htpasswd files. [Marc Slemko]
*) SECURITY: Ensure that the buffer returned by ht_time is always
properly null terminated. [Marc Slemko]
*) SECURITY: General mod_include cleanup, including fixing several
possible buffer overflows and a possible infinite loop. This cleanup
was done against 1.3 code and then backported to 1.2, the result
is a large difference (due to indentation cleanup in 1.3 code).
Users interested in seeing a smaller set of relevant differences
should consider comparing against src/modules/standard/mod_include.c
from the 1.3b3 release. Non-indentation changes to mod_include
between 1.2 and 1.3 were minimal. [Dean Gaudet, Marc Slemko]
*) SECURITY: Numerous changes to mod_imap in a general cleanup
including fixing a possible buffer overflow. This cleanup also
was done with 1.3 code as a basis, see the the previous note
about mod_include. [Dean Gaudet]
*) SECURITY: If a htaccess file can not be read due to bad
permissions, deny access to the directory with a HTTP_FORBIDDEN.
The previous behavior was to ignore the htaccess file if it could not
be read. This change may make some setups with unreadable
htaccess files stop working. PR#817 [Marc Slemko]
*) SECURITY: no2slash() was O(n^2) in the length of the input.
Make it O(n). This inefficiency could be used to mount a denial
of service attack against the Apache server. Thanks to
Michal Zalewski <lc...@boss.staszic.waw.pl> for reporting
this. [Dean Gaudet]
*) mod_include used uninitialized data for some uses of && and ||.
[Brian Slesinsky <bs...@wired.com>] PR#1139
*) mod_imap should decline all non-GET methods.
[Jay Bloodworth <ja...@pathways.sde.state.sc.us>]
*) suexec.c wouldn't build without -DLOG_EXEC. [Jason A. Dour]
*) mod_userdir was modifying r->finfo in cases where it wasn't setting
r->filename. Since those two are meant to be in sync with each other
this is a bug. ["Paul B. Henson" <he...@intranet.csupomona.edu>]
*) mod_include did not properly handle all possible redirects from sub-
requests. [Ken Coar]
*) Inetd mode (which is buggy) uses timeouts without having setup the
jmpbuffer. [Dean Gaudet] PR#1064
*) Work around problem under Linux where a child will start looping
reporting a select error over and over.
[Rick Franchuk <ri...@transpect.net>] PR#1107
Re: announcement for 1.2
Posted by Brian Behlendorf <br...@organic.com>.
Yeah, looks great. +1.
Brian
At 10:02 PM 1/4/98 -0600, Randy Terbush wrote:
>+1
>
>On Sun, Jan 04, 1998 at 07:34:25PM -0700, Marc Slemko wrote:
>> Below is my proposal for the announcement of the 1.2.5 release. Comments
>> welcome.
>>
>> Note that a security advisory will be distributed seperately, which
>> goes into more detail on the security issues.
>>
>>
>
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
specialization is for insects brian@organic.com
Re: announcement for 1.2
Posted by Martin Kraemer <Ma...@mch.sni.de>.
On Sun, Jan 04, 1998 at 07:34:25PM -0700, Marc Slemko wrote:
> Below is my proposal for the announcement of the 1.2.5 release. Comments
> welcome.
+1 -- are you going to add it to the CVS repository as well (like in 1.3)?
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: announcement for 1.2
Posted by Randy Terbush <ra...@covalent.net>.
+1
On Sun, Jan 04, 1998 at 07:34:25PM -0700, Marc Slemko wrote:
> Below is my proposal for the announcement of the 1.2.5 release. Comments
> welcome.
>
> Note that a security advisory will be distributed seperately, which
> goes into more detail on the security issues.
>
>