You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2014/03/16 18:23:10 UTC

svn commit: r4664 - in /release/httpd: Announcement2.4.html Announcement2.4.txt

Author: jim
Date: Sun Mar 16 17:23:10 2014
New Revision: 4664

Log:
And the Announcements...

Modified:
    release/httpd/Announcement2.4.html
    release/httpd/Announcement2.4.txt

Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Sun Mar 16 17:23:10 2014
@@ -15,38 +15,50 @@
 <img src="../../images/apache_sub.gif" alt="" />
 
 <h1>
-                       Apache HTTP Server 2.4.7 Released
+                       Apache HTTP Server 2.4.9 Released
 </h1>
 <p>
    The Apache Software Foundation and the Apache HTTP Server Project are
    pleased to <a href="http://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
-   the release of version 2.4.7 of the Apache
+   the release of version 2.4.9 of the Apache
    HTTP Server ("Apache").  This version of Apache is our latest GA
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of
    innovation by the project, and is recommended over all previous releases. This
-   release of Apache is principally a feature
+   release of Apache is principally a security, feature
    and bug fix release.
 </p>
+<ul>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098">CVE-2014-0098</a>
+     Segfaults with truncated cookie logging.
+     mod_log_config: Prevent segfaults when logging truncated
+     cookies. Clean up the cookie logging parser to recognize
+     only the cookie=value pairs, not valueless cookies.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438">CVE-2013-6438</a>
+     mod_dav: Keep track of length of cdata properly when removing
+     leading spaces. Eliminates a potential denial of service from
+     specifically crafted DAV WRITE requests
+</li>
+</ul>
 <p>
    Also in this release are some exciting new features including:
 </p>
 <ul>
-    <li>Major updates to mod_proxy_fcgi</li>
-    <li>Higher performant event MPM</li>
-    <li>Enhancements to the WinNT MPM</li>
+    <li>Finer control over scoping of RewriteRules</li>
+    <li>Unix Domain Socket (UDS) support for mod_proxy backends.</li>
+    <li>Support for larger shared memory sizes for mod_socache_shmcb</li>
+    <li>mod_lua and mod_ssl enhancements</li>
+    <li>Support named groups and backreferences within the LocationMatch,
+     DirectoryMatch, FilesMatch and ProxyMatch directives.</li>
 </ul>
 <p>
    We consider this release to be the best version of Apache available, and
-   encourage users of all prior versions to upgrade.
-</p>
-<p>
-     NOTE: With this release, the Event MPM checks for acceptable use
-         of atomic operations. If the Event MPM no longer works on
-         your platform, be sure to contact dev@httpd.apache.org.
+   encourage users of all prior versions to upgrade. [NOTE: 2.4.8 was not
+   released.]
 </p>
 <p>
-   Apache HTTP Server 2.4.7 is available for download from:
+   Apache HTTP Server 2.4.9 is available for download from:
 </p>
 <dl>
   <dd><a href="http://httpd.apache.org/download.cgi"
@@ -54,7 +66,7 @@
 </dl>
 <p>
    Please see the CHANGES_2.4 file, linked from the download page, for a
-   full list of changes.  A condensed list, CHANGES_2.4.7 includes only
+   full list of changes.  A condensed list, CHANGES_2.4.9 includes only
    those changes introduced since the prior 2.4 release.  A summary of all 
    of the security vulnerabilities addressed in this and earlier releases 
    is available:

Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Sun Mar 16 17:23:10 2014
@@ -1,28 +1,38 @@
-                Apache HTTP Server 2.4.7 Released
+                Apache HTTP Server 2.4.9 Released
 
    The Apache Software Foundation and the Apache HTTP Server Project
-   are pleased to announce the release of version 2.4.7 of the Apache
+   are pleased to announce the release of version 2.4.9 of the Apache
    HTTP Server ("Apache").  This version of Apache is our latest GA
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of innovation by the project, and is
    recommended over all previous releases. This release of Apache is
-   principally a feature and bug fix release.
+   principally a security, feature and bug fix release.
 
+   CVE-2014-0098 (cve.mitre.org)
+     Segfaults with truncated cookie logging.
+     mod_log_config: Prevent segfaults when logging truncated
+     cookies. Clean up the cookie logging parser to recognize
+     only the cookie=value pairs, not valueless cookies.
+
+   CVE-2013-6438 (cve.mitre.org)
+     mod_dav: Keep track of length of cdata properly when removing
+     leading spaces. Eliminates a potential denial of service from
+     specifically crafted DAV WRITE requests
 
    Also in this release are some exciting new features including:
 
-    *) Major updates to mod_proxy_fcgi
-    *) Higher performant event MPM
-    *) Enhancements to the WinNT MPM
+    *) Finer control over scoping of RewriteRules
+    *) Unix Domain Socket (UDS) support for mod_proxy backends.
+    *) Support for larger shared memory sizes for mod_socache_shmcb
+    *) mod_lua and mod_ssl enhancements
+    *) Support named groups and backreferences within the LocationMatch,
+       DirectoryMatch, FilesMatch and ProxyMatch directives.
 
    We consider this release to be the best version of Apache available, and
-   encourage users of all prior versions to upgrade.
+   encourage users of all prior versions to upgrade. [NOTE: 2.4.8 was not
+   released.]
 
-   NOTE: With this release, the Event MPM checks for acceptable use
-         of atomic operations. If the Event MPM no longer works on
-         your platform, be sure to contact dev@httpd.apache.org.
-
-   Apache HTTP Server 2.4.7 is available for download from:
+   Apache HTTP Server 2.4.9 is available for download from:
 
      http://httpd.apache.org/download.cgi
 
@@ -33,7 +43,7 @@
      http://httpd.apache.org/docs/trunk/new_features_2_4.html
 
    Please see the CHANGES_2.4 file, linked from the download page, for a
-   full list of changes. A condensed list, CHANGES_2.4.7 includes only
+   full list of changes. A condensed list, CHANGES_2.4.9 includes only
    those changes introduced since the prior 2.4 release.  A summary of all 
    of the security vulnerabilities addressed in this and earlier releases 
    is available: