You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2016/12/20 19:37:49 UTC
svn commit: r17508 - in /release/httpd: Announcement2.4.html
Announcement2.4.txt
Author: wrowe
Date: Tue Dec 20 19:37:49 2016
New Revision: 17508
Log:
Flesh out 2.4.25 details
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Tue Dec 20 19:37:49 2016
@@ -23,10 +23,34 @@
the release of version 2.4.25 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
- represents fifteen years of
- innovation by the project, and is recommended over all previous releases. This
- release of Apache is principally a security, feature, and bug fix release.
+ represents fifteen years of innovation by the project, and is
+ recommended over all previous releases. This release of Apache is
+ a security, feature, and bug fix release, and addresses these
+ specific security defects as well as other fixes:
</p>
+<ul>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736">CVE-2016-0736</a>
+ mod_session_crypto: Authenticate the session data/cookie with a
+ MAC (SipHash) to prevent deciphering or tampering with a padding
+ oracle attack.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161">CVE-2016-2161</a>
+ mod_auth_digest: Prevent segfaults during client entry allocation
+ when the shared memory space is exhausted.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387">CVE-2016-5387</a>
+ core: Mitigate [f]cgi "httpoxy" issues.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740">CVE-2016-8740</a>
+ mod_http2: Mitigate DoS memory exhaustion via endless
+ CONTINUATION frames.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743">CVE-2016-8743</a>
+ Enforce HTTP request grammar corresponding to RFC7230 for request
+ lines and request headers, to prevent response splitting and cache
+ pollution by malicious clients or downstream proxies.
+</li>
+</ul>
<p>
NOTE: version 2.4.24 was not released.
</p>
Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Tue Dec 20 19:37:49 2016
@@ -6,7 +6,29 @@
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- principally a security, feature, and bug fix release.
+ a security, feature, and bug fix release, and addresses these
+ specific security defects as well as other fixes:
+
+ CVE-2016-0736 (cve.mitre.org)
+ mod_session_crypto: Authenticate the session data/cookie with a
+ MAC (SipHash) to prevent deciphering or tampering with a padding
+ oracle attack.
+
+ CVE-2016-2161 (cve.mitre.org)
+ mod_auth_digest: Prevent segfaults during client entry allocation
+ when the shared memory space is exhausted.
+
+ CVE-2016-5387 (cve.mitre.org)
+ core: Mitigate [f]cgi "httpoxy" issues.
+
+ CVE-2016-8740 (cve.mitre.org)
+ mod_http2: Mitigate DoS memory exhaustion via endless
+ CONTINUATION frames.
+
+ CVE-2016-8743 (cve.mitre.org)
+ Enforce HTTP request grammar corresponding to RFC7230 for request
+ lines and request headers, to prevent response splitting and cache
+ pollution by malicious clients or downstream proxies.
NOTE: Version 2.4.24 was not released.