You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2018/03/24 02:50:07 UTC
svn commit: r25924 - in /release/httpd: Announcement2.4.html
Announcement2.4.txt CHANGES_2.4
Author: druggeri
Date: Sat Mar 24 02:50:06 2018
New Revision: 25924
Log:
Updates for announcement of 2.4.33
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
release/httpd/CHANGES_2.4
Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Sat Mar 24 02:50:06 2018
@@ -52,7 +52,7 @@
Apache HTTP Server 2.4.33 Released
</h1>
<p>
- March 13, 2018
+ March 23, 2018
</p>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
@@ -62,7 +62,7 @@
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a security, feature, and bug fix release.
+ a security, feature and bug fix release.
</p>
<p>
We consider this release to be the best version of Apache available, and
Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Sat Mar 24 02:50:06 2018
@@ -1,6 +1,6 @@
Apache HTTP Server 2.4.33 Released
- March 13, 2018
+ March 23, 2018
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.33 of the Apache
@@ -8,7 +8,7 @@
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a security, feature, and bug fix release.
+ a security, feature and bug fix release.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Sat Mar 24 02:50:06 2018
@@ -65,13 +65,23 @@ Changes with Apache 2.4.31
Changes with Apache 2.4.30
- *) mod_session: Strip Session header when SessionEnv is on. [Yann Ylavic]
-
- *) mod_cache_socache: Fix caching of empty headers up to carriage return.
+ *) SECURITY: CVE-2017-15710 (cve.mitre.org)
+ Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
+ [Eric Covener, Luca Toscano, Yann Ylavic]
+
+ *) CVE-2018-1283 (cve.mitre.org)
+ mod_session: CGI-like applications that intend to read from mod_session's
+ 'SessionEnv ON' could be fooled into reading user-supplied data instead.
[Yann Ylavic]
- *) core: For consistency, ensure that read lines are NUL terminated on any
- error, not only on buffer full. [Yann Ylavic]
+ *) SECURITY: CVE-2018-1303 (cve.mitre.org)
+ mod_cache_socache: Fix request headers parsing to avoid a possible crash
+ with specially crafted input data. [Ruediger Pluem]
+
+ *) CVE-2018-1301 (cve.mitre.org)
+ core: Possible crash with excessively long HTTP request headers.
+ Impractical to exploit with a production build and production LogLevel.
+ [Yann Ylavic]
*) mod_authnz_ldap: Fix language long names detection as short name.
[Yann Ylavic]
@@ -80,10 +90,15 @@ Changes with Apache 2.4.30
longer fatal errors; it is logged and the truncated values are stored.
[Jim Jagielski]
- *) regex: Allow to configure global/default options for regexes, like
- caseless matching or extended format. [Yann Ylavic]
-
- *) mod_auth_digest: Actually use the secret when generating nonces. This change
+ *) CVE-2017-15715 (cve.mitre.org)
+ core: Configure the regular expression engine to match '$' to the end of
+ the input string only, excluding matching the end of any embedded
+ newline characters. Behavior can be changed with new directive
+ 'RegexDefaultOptions'. [Yann Ylavic]
+
+ *) SECURITY: CVE-2018-1312 (cve.mitre.org)
+ mod_auth_digest: Fix generation of nonce values to prevent replay
+ attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers. PR 54637
[Stefan Fritsch]
@@ -108,6 +123,10 @@ Changes with Apache 2.4.30
*) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
depend on the number of restarts (non-Unix systems) and preserve shared
+ *) CVE-2018-1302 (cve.mitre.org)
+ mod_http2: Potential crash w/ mod_http2.
+ [Stefan Eissing]
+
names as much as possible on configuration changes for SHMs and persisted
files. PR 62044. [Yann Ylavic, Jim Jagielski]