You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2020/08/07 11:43:59 UTC
svn commit: r40898 - in /release/httpd: Announcement2.4.html
Announcement2.4.txt CHANGES_2.4 CHANGES_2.4.46 CURRENT-IS-2.4.43
CURRENT-IS-2.4.46
Author: druggeri
Date: Fri Aug 7 11:43:58 2020
New Revision: 40898
Log:
Updates for announcement of 2.4.46
Added:
release/httpd/CURRENT-IS-2.4.46
Removed:
release/httpd/CURRENT-IS-2.4.43
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
release/httpd/CHANGES_2.4
release/httpd/CHANGES_2.4.46
Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Fri Aug 7 11:43:58 2020
@@ -52,7 +52,7 @@
Apache HTTP Server 2.4.46 Released
</h1>
<p>
- September 21, 2018
+ August 07, 2020
</p>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
@@ -62,7 +62,7 @@
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a feature and bug fix release.
+ a security, feature and bug fix release.
</p>
<p>
We consider this release to be the best version of Apache available, and
@@ -124,5 +124,9 @@ href="https://svn.apache.org/repos/asf/h
patches. Users must promptly complete their transitions to this 2.4.x
release of httpd to benefit from further bug fixes or new features.
</p>
+<p>
+ Finally, please note that support for the recently released Lua 5.4 is
+ not available in this release. Please continue to use Lua 5.3 for now.
+</p>
</body>
</html>
Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Fri Aug 7 11:43:58 2020
@@ -1,6 +1,6 @@
Apache HTTP Server 2.4.46 Released
- September 21, 2018
+ August 07, 2020
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.46 of the Apache
@@ -8,7 +8,7 @@
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a feature and bug fix release.
+ a security, feature and bug fix release.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
@@ -52,3 +52,5 @@
patches. Users must promptly complete their transitions to this 2.4.x
release of httpd to benefit from further bug fixes or new features.
+ Finally, please note that support for the recently released Lua 5.4 is
+ not available in this release. Please continue to use Lua 5.3 for now.
Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Fri Aug 7 11:43:58 2020
@@ -1,7 +1,22 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.46
+ *) SECURITY: CVE-2020-11984 (cve.mitre.org)
+ mod_proxy_uwsgi: Malicious request may result in information disclosure
+ or RCE of existing file on the server running under a malicious process
+ environment. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-11993 (cve.mitre.org)
+ mod_http2: when throttling connection requests, log statements
+ where possibly made that result in concurrent, unsafe use of
+ a memory pool. [Stefan Eissing]
+
+ *) SECURITY:
+ mod_http2: a specially crafted value for the 'Cache-Digest' header
+ request would result in a crash when the server actually tries
+ to HTTP/2 PUSH a resource afterwards.
+ [Stefan Eissing, Eric Covener, Christophe Jaillet]
+
*) mod_proxy_fcgi: Fix build warnings for Windows platform
- [Eric Covener, Christophe Jaillet]
Changes with Apache 2.4.45
Modified: release/httpd/CHANGES_2.4.46
==============================================================================
--- release/httpd/CHANGES_2.4.46 (original)
+++ release/httpd/CHANGES_2.4.46 Fri Aug 7 11:43:58 2020
@@ -1,7 +1,22 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.46
+ *) SECURITY: CVE-2020-11984 (cve.mitre.org)
+ mod_proxy_uwsgi: Malicious request may result in information disclosure
+ or RCE of existing file on the server running under a malicious process
+ environment. [Yann Ylavic]
+
+ *) SECURITY: CVE-2020-11993 (cve.mitre.org)
+ mod_http2: when throttling connection requests, log statements
+ where possibly made that result in concurrent, unsafe use of
+ a memory pool. [Stefan Eissing]
+
+ *) SECURITY:
+ mod_http2: a specially crafted value for the 'Cache-Digest' header
+ request would result in a crash when the server actually tries
+ to HTTP/2 PUSH a resource afterwards.
+ [Stefen Eissing, Eric Covener, Christophe Jaillet]
+
*) mod_proxy_fcgi: Fix build warnings for Windows platform
- [Eric Covener, Christophe Jaillet]
Changes with Apache 2.4.45
@@ -67,3 +82,13 @@ Changes with Apache 2.4.44
*) mod_proxy_http2: respect ProxyTimeout settings on backend connections
while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
+ [Apache 2.3.0-dev includes those bug fixes and changes with the
+ Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
Added: release/httpd/CURRENT-IS-2.4.46
==============================================================================
(empty)