You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by dr...@apache.org on 2018/03/24 02:50:07 UTC

svn commit: r25924 - in /release/httpd: Announcement2.4.html Announcement2.4.txt CHANGES_2.4

Author: druggeri
Date: Sat Mar 24 02:50:06 2018
New Revision: 25924

Log:
Updates for announcement of 2.4.33

Modified:
    release/httpd/Announcement2.4.html
    release/httpd/Announcement2.4.txt
    release/httpd/CHANGES_2.4

Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Sat Mar 24 02:50:06 2018
@@ -52,7 +52,7 @@
                        Apache HTTP Server 2.4.33 Released
 </h1>
 <p>
-   March 13, 2018
+   March 23, 2018
 </p>
 <p>
    The Apache Software Foundation and the Apache HTTP Server Project are
@@ -62,7 +62,7 @@
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of innovation by the project, and is
    recommended over all previous releases. This release of Apache is
-   a security, feature, and bug fix release.
+   a security, feature and bug fix release.
 </p>
 <p>
    We consider this release to be the best version of Apache available, and

Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Sat Mar 24 02:50:06 2018
@@ -1,6 +1,6 @@
                 Apache HTTP Server 2.4.33 Released
 
-   March 13, 2018
+   March 23, 2018
 
    The Apache Software Foundation and the Apache HTTP Server Project
    are pleased to announce the release of version 2.4.33 of the Apache
@@ -8,7 +8,7 @@
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of innovation by the project, and is
    recommended over all previous releases. This release of Apache is
-   a security, feature, and bug fix release.
+   a security, feature and bug fix release.
 
    We consider this release to be the best version of Apache available, and
    encourage users of all prior versions to upgrade.

Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Sat Mar 24 02:50:06 2018
@@ -65,13 +65,23 @@ Changes with Apache 2.4.31
 
 Changes with Apache 2.4.30
 
-  *) mod_session: Strip Session header when SessionEnv is on.  [Yann Ylavic]
-
-  *) mod_cache_socache: Fix caching of empty headers up to carriage return.
+  *) SECURITY: CVE-2017-15710 (cve.mitre.org)
+     Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
+     [Eric Covener, Luca Toscano, Yann Ylavic]
+
+  *) CVE-2018-1283 (cve.mitre.org)
+     mod_session: CGI-like applications that intend to read from mod_session's 
+     'SessionEnv ON' could be fooled into reading user-supplied data instead.
      [Yann Ylavic]
 
-  *) core: For consistency, ensure that read lines are NUL terminated on any
-     error, not only on buffer full.  [Yann Ylavic]
+  *) SECURITY: CVE-2018-1303 (cve.mitre.org)
+     mod_cache_socache: Fix request headers parsing to avoid a possible crash
+     with specially crafted input data.  [Ruediger Pluem]
+
+  *) CVE-2018-1301 (cve.mitre.org)
+     core: Possible crash with excessively long HTTP request headers. 
+     Impractical to exploit with a production build and production LogLevel.
+     [Yann Ylavic]
 
   *) mod_authnz_ldap: Fix language long names detection as short name.
      [Yann Ylavic]
@@ -80,10 +90,15 @@ Changes with Apache 2.4.30
      longer fatal errors; it is logged and the truncated values are stored.
      [Jim Jagielski]
 
-  *) regex: Allow to configure global/default options for regexes, like
-     caseless matching or extended format.  [Yann Ylavic]
-
-  *) mod_auth_digest: Actually use the secret when generating nonces. This change
+  *) CVE-2017-15715 (cve.mitre.org)
+     core: Configure the regular expression engine to match '$' to the end of
+     the input string only, excluding matching the end of any embedded 
+     newline characters. Behavior can be changed with new directive 
+     'RegexDefaultOptions'. [Yann Ylavic]
+     
+  *) SECURITY: CVE-2018-1312 (cve.mitre.org)
+     mod_auth_digest: Fix generation of nonce values to prevent replay
+     attacks across servers using a common Digest domain. This change
      may cause problems if used with round robin load balancers. PR 54637
      [Stefan Fritsch]
 
@@ -108,6 +123,10 @@ Changes with Apache 2.4.30
 
   *) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
      depend on the number of restarts (non-Unix systems) and preserve shared
+  *) CVE-2018-1302 (cve.mitre.org)
+     mod_http2: Potential crash w/ mod_http2.
+     [Stefan Eissing]
+
      names as much as possible on configuration changes for SHMs and persisted
      files.  PR 62044.  [Yann Ylavic, Jim Jagielski]