You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2004/09/15 12:59:17 UTC
cvs commit: httpd-dist Announcement2.txt
jorton 2004/09/15 03:59:17
Modified: . Announcement2.txt
Log:
Draft text with feedback from Sander & Mark.
Revision Changes Path
1.43 +35 -21 httpd-dist/Announcement2.txt
Index: Announcement2.txt
===================================================================
RCS file: /home/cvs/httpd-dist/Announcement2.txt,v
retrieving revision 1.42
retrieving revision 1.43
diff -d -w -u -r1.42 -r1.43
--- Announcement2.txt 1 Jul 2004 16:55:41 -0000 1.42
+++ Announcement2.txt 15 Sep 2004 10:59:17 -0000 1.43
@@ -1,32 +1,46 @@
- Apache HTTP Server 2.0.50 Released
+ Apache HTTP Server 2.0.51 Released
The Apache Software Foundation and the The Apache HTTP Server Project are
- pleased to announce the release of version 2.0.50 of the Apache HTTP
+ pleased to announce the release of version 2.0.51 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
- in 2.0.50 as compared to 2.0.49. The Announcement is also available in
- German and Japanese from:
+ in 2.0.51 as compared to 2.0.50.
- http://www.apache.org/dist/httpd/Announcement2.txt.de
- http://www.apache.org/dist/httpd/Announcement2.txt.ja
+ This version of Apache is principally a bug fix release. Of
+ particular note is that 2.0.51 addresses five security
+ vulnerabilities:
- This version of Apache is principally a bug fix release. A summary of
- the bug fixes is given at the end of this document. Of particular
- note is that 2.0.50 addresses two security vulnerabilities:
+ An input validation issue in IPv6 literal address parsing which
+ can result in a negative length parameter being passed to memcpy.
+ [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786]
- A remotely triggered memory leak in http header parsing can allow a
- denial of service attack due to excessive memory consumption.
- [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493]
+ A buffer overflow in configuration file parsing could allow a
+ local user to gain the privileges of a httpd child if the server
+ can be forced to parse a carefully crafted .htaccess file.
+ [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747]
- Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a
- (trusted) client certificate subject DN which exceeds 6K in length.
- [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488]
+ A segfault in mod_ssl which can be triggered by a malicious
+ remote server, if proxying to SSL servers has been configured.
+ [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751]
- This release is compatible with modules compiled for 2.0.42 and later
- versions. We consider this release to be the best version of Apache
- available and encourage users of all prior versions to upgrade.
+ A potential infinite loop in mod_ssl which could be triggered
+ given particular timing of a connection abort.
+ [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748]
- Apache HTTP Server 2.0.50 is available for download from
+ A segfault in mod_dav_fs which can be remotely triggered by an
+ indirect lock refresh request.
+ [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809]
+
+ The Apache HTTP Server Project would like to thank Codenomicon for
+ supplying copies of their "HTTP Test Tool", using which one of the
+ above issues was discovered (CVE CAN-2004-0786).
+
+ This release is compatible with modules compiled for 2.0.42 and
+ later versions. We consider this release to be the best version of
+ Apache available and encourage users of all prior versions to
+ upgrade.
+
+ Apache HTTP Server 2.0.51 is available for download from
http://httpd.apache.org/download.cgi