You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2008/06/10 19:49:55 UTC
svn commit: r666236 - in /httpd/site/trunk/dist: Announcement2.2.html
Announcement2.2.txt
Author: jim
Date: Tue Jun 10 10:49:55 2008
New Revision: 666236
URL: http://svn.apache.org/viewvc?rev=666236&view=rev
Log:
prepare for 2.2.9
Modified:
httpd/site/trunk/dist/Announcement2.2.html
httpd/site/trunk/dist/Announcement2.2.txt
Modified: httpd/site/trunk/dist/Announcement2.2.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.2.html?rev=666236&r1=666235&r2=666236&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement2.2.html (original)
+++ httpd/site/trunk/dist/Announcement2.2.html Tue Jun 10 10:49:55 2008
@@ -14,10 +14,10 @@
>
<img src="../../images/apache_sub.gif" alt="">
-<h1>Apache HTTP Server 2.2.8 Released</h1>
+<h1>Apache HTTP Server 2.2.9 Released</h1>
<p>The Apache Software Foundation and the Apache HTTP Server Project are
-pleased to announce the release of version 2.2.8 of the Apache HTTP Server
+pleased to announce the release of version 2.2.9 of the Apache HTTP Server
("Apache").</p>
<p>This version of Apache is principally a bug and security fix release.
@@ -26,48 +26,16 @@
<ul>
<li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6421">CVE-2007-6421:</a>
- mod_proxy_balancer: Correctly escape the worker route and the worker
- redirect string in the HTML output of the balancer manager.
- Reported by SecurityReason.
-<br />
- A flaw was found in the mod_proxy_balancer module. On sites where
- mod_proxy_balancer is enabled, a cross-site scripting attack against
- an authorized user is possible.
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364">CVE-2008-2364:</a>
+ mod_proxy_http: Better handling of excessive interim responses
+ from origin server to prevent potential denial of service and high
+ memory usage. Reported by Ryujiro Shibuya.
</li>
<li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6422">CVE-2007-6422:</a>
- Prevent crash in balancer manager if invalid balancer name is passed
- as parameter. Reported by SecurityReason.
-<br />
- A flaw was found in the mod_proxy_balancer module. On sites where
- mod_proxy_balancer is enabled, an authorized user could send a
- carefully crafted request that would cause the Apache child process
- handling that request to crash. This could lead to a denial of
- service if using a threaded Multi-Processing Module.
-</li>
-
-<li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388">CVE-2007-6388:</a>
- mod_status: Ensure refresh parameter is numeric to prevent
- a possible XSS attack caused by redirecting to other URLs.
- Reported by SecurityReason.
-<br />
- A flaw was found in the mod_status module. On sites where mod_status
- is enabled and the status pages were publicly accessible, a
- cross-site scripting attack is possible. Note that the server-status
- page is not enabled by default and it is best practice to not make
- this publicly available.
-</li>
-
-<li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000 ">CVE-2007-5000 :</a>
- mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
-<br />
- A flaw was found in the mod_imap module. On sites where
- mod_imap is enabled and an imagemap file is publicly available, a
- cross-site scripting attack is possible.
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420">CVE-2007-6420:</a>
+ mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager
+ interface.
</li>
</ul>
@@ -77,7 +45,7 @@
encourage users of all prior versions to upgrade.
</p>
-<p>Apache HTTP Server 2.2.8 is available for download from:</p>
+<p>Apache HTTP Server 2.2.9 is available for download from:</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi"
>http://httpd.apache.org/download.cgi</a></dd>
@@ -96,10 +64,10 @@
<p>
Please see the CHANGES_2.2 file, linked from the download page, for a
-full list of changes. A condensed list, CHANGES_2.2.8 provides the
-complete list of changes since 2.2.6 (2.2.7 was not released).
+full list of changes. A condensed list, CHANGES_2.2.9 provides the
+complete list of changes since 2.2.8.
A summary of security vulnerabilities
-which were addressed in the previous 2.2.6 and earlier releases is available:
+which were addressed in the previous 2.2.8 and earlier releases is available:
<dl>
<dd><a href="http://httpd.apache.org/security/vulnerabilities_22.html"
>http://httpd.apache.org/security/vulnerabilities_22.html</a>
@@ -116,7 +84,7 @@
<p>
This release includes the <a href="http://apr.apache.org/"
->Apache Portable Runtime</a> (APR) version 1.2.12
+>Apache Portable Runtime</a> (APR) version 1.3.0
bundled with the tar and zip distributions. The APR libraries libapr and
libaprutil (and on Win32, libapriconv) must all be updated to ensure
binary compatibility and address many known platform bugs.
Modified: httpd/site/trunk/dist/Announcement2.2.txt
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.2.txt?rev=666236&r1=666235&r2=666236&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement2.2.txt (original)
+++ httpd/site/trunk/dist/Announcement2.2.txt Tue Jun 10 10:49:55 2008
@@ -1,51 +1,24 @@
- Apache HTTP Server 2.2.8 Released
+ Apache HTTP Server 2.2.9 Released
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 2.2.8 of the Apache HTTP Server
+ pleased to announce the release of version 2.2.9 of the Apache HTTP Server
("Apache"). This version of Apache is principally a bug and security fix
release. The following potential security flaws are addressed:
- * CVE-2007-6421 (cve.mitre.org)
- mod_proxy_balancer: Correctly escape the worker route and the worker
- redirect string in the HTML output of the balancer manager.
- Reported by SecurityReason.
-
- A flaw was found in the mod_proxy_balancer module. On sites where
- mod_proxy_balancer is enabled, a cross-site scripting attack against
- an authorized user is possible.
-
- * CVE-2007-6422 (cve.mitre.org)
- Prevent crash in balancer manager if invalid balancer name is passed
- as parameter. Reported by SecurityReason.
-
- A flaw was found in the mod_proxy_balancer module. On sites where
- mod_proxy_balancer is enabled, an authorized user could send a
- carefully crafted request that would cause the Apache child process
- handling that request to crash. This could lead to a denial of
- service if using a threaded Multi-Processing Module.
-
- * CVE-2007-6388 (cve.mitre.org)
- mod_status: Ensure refresh parameter is numeric to prevent
- a possible XSS attack caused by redirecting to other URLs.
- Reported by SecurityReason.
-
- A flaw was found in the mod_status module. On sites where mod_status
- is enabled and the status pages were publicly accessible, a
- cross-site scripting attack is possible. Note that the server-status
- page is not enabled by default and it is best practice to not make
- this publicly available.
-
- * CVE-2007-5000 (cve.mitre.org)
- mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
-
- A flaw was found in the mod_imap module. On sites where
- mod_imap is enabled and an imagemap file is publicly available, a
- cross-site scripting attack is possible.
+ * CVE-2008-2364 (cve.mitre.org)
+ mod_proxy_http: Better handling of excessive interim responses
+ from origin server to prevent potential denial of service and high
+ memory usage. Reported by Ryujiro Shibuya.
+
+ * CVE-2007-6420 (cve.mitre.org)
+ mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager
+ interface.
+
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- Apache HTTP Server 2.2.8 is available for download from:
+ Apache HTTP Server 2.2.9 is available for download from:
http://httpd.apache.org/download.cgi
@@ -56,10 +29,9 @@
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.2.8 provides the
- complete list of changes since 2.2.6 (2.2.7 was not released). A summary
- of security vulnerabilities which were addressed in the previous 2.2.6
- and earlier releases is available:
+ full list of changes. A condensed list, CHANGES_2.2.9 provides the
+ complete list of changes since 2.2.8. A summary of security vulnerabilities
+ which were addressed in the previous 2.2.8 and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
@@ -70,7 +42,7 @@
Apache 2.2, as only limited maintenance is performed on these legacy
versions.
- This release includes the Apache Portable Runtime (APR) version 1.2.12
+ This release includes the Apache Portable Runtime (APR) version 1.3.0
bundled with the tar and zip distributions. The APR libraries libapr
and libaprutil (and on Win32, libapriconv) must all be updated to ensure
binary compatibility and address many known platform bugs.