You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2006/07/27 21:32:48 UTC
svn commit: r426209 - in /httpd/site/trunk: docs/download.html
docs/index.html docs/security/vulnerabilities_13.html
docs/security/vulnerabilities_20.html docs/security/vulnerabilities_22.html
xdocs/security/vulnerabilities_22.xml
Author: wrowe
Date: Thu Jul 27 12:32:48 2006
New Revision: 426209
URL: http://svn.apache.org/viewvc?rev=426209&view=rev
Log:
Please doublecheck - hopefully the xslt magic was fine.
Modified:
httpd/site/trunk/docs/download.html
httpd/site/trunk/docs/index.html
httpd/site/trunk/docs/security/vulnerabilities_13.html
httpd/site/trunk/docs/security/vulnerabilities_20.html
httpd/site/trunk/docs/security/vulnerabilities_22.html
httpd/site/trunk/xdocs/security/vulnerabilities_22.xml
Modified: httpd/site/trunk/docs/download.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/download.html?rev=426209&r1=426208&r2=426209&view=diff
==============================================================================
--- httpd/site/trunk/docs/download.html (original)
+++ httpd/site/trunk/docs/download.html Thu Jul 27 12:32:48 2006
@@ -109,15 +109,16 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#828DA6">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="apache22"><strong>Apache HTTP Server 2.2.2
+ <a name="apache22"><strong>Apache HTTP Server 2.2.3
is the best available version</strong></a>
</font>
</td></tr>
<tr><td>
<blockquote>
<p>The Apache HTTP Server Project is pleased to announce the release of Apache
-HTTP Server, version 2.2.2. This release represents ten years of innovation
-by the project, and is recommended over all previous releases!</p>
+HTTP Server, version 2.2.3. This release represents ten years of innovation
+by the project, and is recommended over all previous releases! In particular,
+this release fixes an 'important' security vulnerability in mod_rewrite.</p>
<p>For details see the <a href="http://www.apache.org/dist/httpd/Announcement2.2.html">Official
Announcement</a> and the <a href="[preferred]/httpd/CHANGES_2.2">CHANGES_2.2</a> list.</p>
<p>Add-in modules for Apache 1.3 or 2.0 are not compatible with Apache 2.2.
@@ -128,27 +129,27 @@
<ul>
<li>Unix Source:
-<a href="[preferred]/httpd/httpd-2.2.2.tar.gz">httpd-2.2.2.tar.gz</a>
-[<a href="http://www.apache.org/dist/httpd/httpd-2.2.2.tar.gz.asc">PGP</a>]
-[<a href="http://www.apache.org/dist/httpd/httpd-2.2.2.tar.gz.md5">MD5</a>]
+<a href="[preferred]/httpd/httpd-2.2.3.tar.gz">httpd-2.2.3.tar.gz</a>
+[<a href="http://www.apache.org/dist/httpd/httpd-2.2.3.tar.gz.asc">PGP</a>]
+[<a href="http://www.apache.org/dist/httpd/httpd-2.2.3.tar.gz.md5">MD5</a>]
</li>
<li>Unix Source:
-<a href="[preferred]/httpd/httpd-2.2.2.tar.bz2">httpd-2.2.2.tar.bz2</a>
-[<a href="http://www.apache.org/dist/httpd/httpd-2.2.2.tar.bz2.asc">PGP</a>]
-[<a href="http://www.apache.org/dist/httpd/httpd-2.2.2.tar.bz2.md5">MD5</a>]
+<a href="[preferred]/httpd/httpd-2.2.3.tar.bz2">httpd-2.2.3.tar.bz2</a>
+[<a href="http://www.apache.org/dist/httpd/httpd-2.2.3.tar.bz2.asc">PGP</a>]
+[<a href="http://www.apache.org/dist/httpd/httpd-2.2.3.tar.bz2.md5">MD5</a>]
</li>
<li>Win32 Source:
-<a href="[preferred]/httpd/httpd-2.2.2-win32-src.zip">httpd-2.2.2-win32-src.zip</a>
-[<a href="http://www.apache.org/dist/httpd/httpd-2.2.2-win32-src.zip.asc">PGP</a>]
-[<a href="http://www.apache.org/dist/httpd/httpd-2.2.2-win32-src.zip.md5">MD5</a>]
+<a href="[preferred]/httpd/httpd-2.2.3-win32-src.zip">httpd-2.2.3-win32-src.zip</a>
+[<a href="http://www.apache.org/dist/httpd/httpd-2.2.3-win32-src.zip.asc">PGP</a>]
+[<a href="http://www.apache.org/dist/httpd/httpd-2.2.3-win32-src.zip.md5">MD5</a>]
</li>
<li>Win32 Binary (MSI Installer):
-<a href="[preferred]/httpd/binaries/win32/apache_2.2.2-win32-x86-no_ssl.msi">apache_2.2.2-win32-x86-no_ssl.msi</a>
-[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.2.2-win32-x86-no_ssl.msi.asc">PGP</a>]
-[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.2.2-win32-x86-no_ssl.msi.md5">MD5</a>]
+<a href="[preferred]/httpd/binaries/win32/apache_2.2.3-win32-x86-no_ssl.msi">apache_2.2.3-win32-x86-no_ssl.msi</a>
+[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.2.3-win32-x86-no_ssl.msi.asc">PGP</a>]
+[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.2.3-win32-x86-no_ssl.msi.md5">MD5</a>]
</li>
<li><a href="[preferred]/httpd/">Other files</a></li>
@@ -160,15 +161,15 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#828DA6">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="apache20"><strong>Apache HTTP Server 2.0.58
+ <a name="apache20"><strong>Apache HTTP Server 2.0.59
is also available</strong></a>
</font>
</td></tr>
<tr><td>
<blockquote>
-<p>Apache 2.0.58 is the current stable version of the 2.0 series, and
-is recommended over any previous 2.0 release. This release fixes a number
-of bugs in pervious 2.0 versions.</p>
+<p>Apache 2.0.59 is the current stable version of the 2.0 series, and
+is recommended over any previous 2.0 release. This release fixes an
+'important' security flaw in mod_rewrite.</p>
<p>For details see the <a href="http://www.apache.org/dist/httpd/Announcement2.0.html">Official
Announcement</a> and the <a href="[preferred]/httpd/CHANGES_2.0">CHANGES_2.0</a> list.</p>
<p>Apache 2.0 add-in modules are not compatible with Apache 1.3 nor 2.2 modules.
@@ -178,27 +179,27 @@
<ul>
<li>Unix Source:
-<a href="[preferred]/httpd/httpd-2.0.58.tar.gz">httpd-2.0.58.tar.gz</a>
-[<a href="http://www.apache.org/dist/httpd/httpd-2.0.58.tar.gz.asc">PGP</a>]
-[<a href="http://www.apache.org/dist/httpd/httpd-2.0.58.tar.gz.md5">MD5</a>]
+<a href="[preferred]/httpd/httpd-2.0.59.tar.gz">httpd-2.0.59.tar.gz</a>
+[<a href="http://www.apache.org/dist/httpd/httpd-2.0.59.tar.gz.asc">PGP</a>]
+[<a href="http://www.apache.org/dist/httpd/httpd-2.0.59.tar.gz.md5">MD5</a>]
</li>
<li>Unix Source:
-<a href="[preferred]/httpd/httpd-2.0.58.tar.bz2">httpd-2.0.58.tar.bz2</a>
-[<a href="http://www.apache.org/dist/httpd/httpd-2.0.58.tar.bz2.asc">PGP</a>]
-[<a href="http://www.apache.org/dist/httpd/httpd-2.0.58.tar.bz2.md5">MD5</a>]
+<a href="[preferred]/httpd/httpd-2.0.59.tar.bz2">httpd-2.0.59.tar.bz2</a>
+[<a href="http://www.apache.org/dist/httpd/httpd-2.0.59.tar.bz2.asc">PGP</a>]
+[<a href="http://www.apache.org/dist/httpd/httpd-2.0.59.tar.bz2.md5">MD5</a>]
</li>
<li>Win32 Source:
-<a href="[preferred]/httpd/httpd-2.0.58-win32-src.zip">httpd-2.0.58-win32-src.zip</a>
-[<a href="http://www.apache.org/dist/httpd/httpd-2.0.58-win32-src.zip.asc">PGP</a>]
-[<a href="http://www.apache.org/dist/httpd/httpd-2.0.58-win32-src.zip.md5">MD5</a>]
+<a href="[preferred]/httpd/httpd-2.0.59-win32-src.zip">httpd-2.0.59-win32-src.zip</a>
+[<a href="http://www.apache.org/dist/httpd/httpd-2.0.59-win32-src.zip.asc">PGP</a>]
+[<a href="http://www.apache.org/dist/httpd/httpd-2.0.59-win32-src.zip.md5">MD5</a>]
</li>
<li>Win32 Binary (MSI Installer):
-<a href="[preferred]/httpd/binaries/win32/apache_2.0.58-win32-x86-no_ssl.msi">apache_2.0.58-win32-x86-no_ssl.msi</a>
-[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.58-win32-x86-no_ssl.msi.asc">PGP</a>]
-[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.58-win32-x86-no_ssl.msi.md5">MD5</a>]
+<a href="[preferred]/httpd/binaries/win32/apache_2.0.59-win32-x86-no_ssl.msi">apache_2.0.59-win32-x86-no_ssl.msi</a>
+[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.59-win32-x86-no_ssl.msi.asc">PGP</a>]
+[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.59-win32-x86-no_ssl.msi.md5">MD5</a>]
</li>
<li><a href="[preferred]/httpd/">Other files</a></li>
@@ -210,27 +211,26 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#828DA6">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="apache13"><strong>Apache 1.3.36 is also available</strong></a>
+ <a name="apache13"><strong>Apache 1.3.37 is also available</strong></a>
</font>
</td></tr>
<tr><td>
<blockquote>
-<p>Apache 1.3.36 is the current stable version of the 1.3 series, and
+<p>Apache 1.3.37 is the current stable version of the 1.3 series, and
is recommended over any previous 1.3 release. This release fixes
-several regressions introduced in 1.3.35 that interfered with Include'ing
-other configuration files from the main httpd.conf configuration file.</p>
+an 'important' vulnerability in mod_rewrite.</p>
<p>For details see the <a href="http://www.apache.org/dist/httpd/Announcement1.3.html">Official
Announcement</a> and the <a href="[preferred]/httpd/CHANGES_1.3">CHANGES_1.3</a> list.</p>
-<p>Use the Apache 1.3.36 version only if you must use a third party module
+<p>Use the Apache 1.3.37 version only if you must use a third party module
that is not available as an Apache 2.x module. Modules compiled for Apache 2.x
are not compatible with Apache 1.3, and modules compiled for Apache 1.3 are
not compatible with Apache 2.x.</p>
<ul>
-<li>Unix Source: <a href="[preferred]/httpd/apache_1.3.36.tar.gz">apache_1.3.36.tar.gz</a>
-[<a href="http://www.apache.org/dist/httpd/apache_1.3.36.tar.gz.asc">PGP</a>] [<a href="http://www.apache.org/dist/httpd/apache_1.3.36.tar.gz.md5">MD5</a>]</li>
+<li>Unix Source: <a href="[preferred]/httpd/apache_1.3.37.tar.gz">apache_1.3.37.tar.gz</a>
+[<a href="http://www.apache.org/dist/httpd/apache_1.3.37.tar.gz.asc">PGP</a>] [<a href="http://www.apache.org/dist/httpd/apache_1.3.37.tar.gz.md5">MD5</a>]</li>
-<li>Unix Source: <a href="[preferred]/httpd/apache_1.3.36.tar.Z">apache_1.3.36.tar.Z</a>
-[<a href="http://www.apache.org/dist/httpd/apache_1.3.36.tar.Z.asc">PGP</a>] [<a href="http://www.apache.org/dist/httpd/apache_1.3.36.tar.Z.md5">MD5</a>]</li>
+<li>Unix Source: <a href="[preferred]/httpd/apache_1.3.37.tar.Z">apache_1.3.37.tar.Z</a>
+[<a href="http://www.apache.org/dist/httpd/apache_1.3.37.tar.Z.asc">PGP</a>] [<a href="http://www.apache.org/dist/httpd/apache_1.3.37.tar.Z.md5">MD5</a>]</li>
<li><a href="[preferred]/httpd/">Other files</a></li>
</ul>
@@ -269,8 +269,9 @@
% gpg --verify apache_1.3.24.tar.gz.asc
</code></p>
<ul>
-<li>httpd-2.0.55.tar.gz is signed by William Rowe <code>10FDE075</code></li>
-<li>httpd-1.3.36.tar.gz is signed by Jim Jagielski <code>08C975E5</code></li>
+<li>httpd-2.2.3.tar.gz is signed by William Rowe <code>10FDE075</code></li>
+<li>httpd-2.0.59.tar.gz is signed by William Rowe <code>10FDE075</code></li>
+<li>httpd-1.3.37.tar.gz is signed by William Rowe <code>10FDE075</code></li>
</ul>
<p>Alternatively, you can verify the MD5 signature on the files. A
unix program called <code>md5</code> or <code>md5sum</code> is
Modified: httpd/site/trunk/docs/index.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/index.html?rev=426209&r1=426208&r2=426209&view=diff
==============================================================================
--- httpd/site/trunk/docs/index.html (original)
+++ httpd/site/trunk/docs/index.html Thu Jul 27 12:32:48 2006
@@ -79,13 +79,15 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="2.2.2"><strong>Apache 2.2.2 Released</strong></a>
+ <a name="2.2.3"><strong>Apache 2.2.3 Released</strong></a>
</font>
</td></tr>
<tr><td>
<blockquote>
<p>The Apache HTTP Server Project is proud to <a href="http://www.apache.org/dist/httpd/Announcement2.2.html">announce</a>
-the release of version 2.2.2 of the Apache HTTP Server ("Apache").</p>
+the release of version 2.2.3 of the Apache HTTP Server ("Apache"). In
+addition to a number of bug fixes to release 2.2.3, this release includes
+an 'important' security fix for mod_rewrite.</p>
<p>This version of Apache is a major release and the start of a new stable
branch, and represents the best available version of Apache HTTP Server.
<a href="docs/2.2/new_features_2_2.html">New features</a> include
@@ -103,22 +105,23 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="2.0.58"><strong>Apache 2.0.58 Released</strong></a>
+ <a name="2.0.59"><strong>Apache 2.0.59 Released</strong></a>
</font>
</td></tr>
<tr><td>
<blockquote>
<p>The Apache HTTP Server Project is proud to
<a href="http://www.apache.org/dist/httpd/Announcement2.0.html">announce</a>
- the legacy release of version 2.0.58 of the Apache HTTP Server
+ the legacy release of version 2.0.59 of the Apache HTTP Server
("Apache").</p>
-<p>This version of Apache is principally a security and bug fix release.</p>
+<p>This version of Apache is principally a security release. In particular,
+ it includes an 'important' security patch to mod_rewrite.</p>
<p>For further details, see the
<a href="http://www.apache.org/dist/httpd/Announcement2.0.html">announcement</a>.</p>
<p align="center">
<a href="download.cgi">Download</a> |
<a href="docs/2.0/new_features_2_0.html">New Features in Apache 2.0</a> |
-<a href="http://www.apache.org/dist/httpd/CHANGES_2.0.58">ChangeLog for 2.0.58</a> |
+<a href="http://www.apache.org/dist/httpd/CHANGES_2.0.59">ChangeLog for 2.0.59</a> |
<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">Complete ChangeLog for 2.0</a>
</p>
</blockquote>
@@ -127,22 +130,23 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="1.3.36"><strong>Apache 1.3.36 Released</strong></a>
+ <a name="1.3.37"><strong>Apache 1.3.37 Released</strong></a>
</font>
</td></tr>
<tr><td>
<blockquote>
<p>The Apache Group is pleased to announce the
- <a href="http://www.apache.org/dist/httpd/Announcement1.3.html">legacy release of the 1.3.36 version of the Apache HTTP Server</a>.
+ <a href="http://www.apache.org/dist/httpd/Announcement1.3.html">legacy release of the 1.3.37 version of the Apache HTTP Server</a>.
</p>
-<p>This version of Apache is principally a bug fix release.</p>
+<p>This version of Apache is principally a security release. In particular,
+ it includes an 'important' security patch to mod_rewrite.</p>
<p>For further details, see the
<a href="http://www.apache.org/dist/httpd/Announcement1.3.html">announcement</a>.</p>
<p align="center">
<a href="download.cgi">Download</a> |
<a href="docs/1.3/windows.html">Apache for Win32</a> |
<a href="docs/1.3/new_features_1_3.html">New Features in Apache 1.3</a> |
-<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.36</a>
+<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.37</a>
</p>
</blockquote>
</td></tr>
Modified: httpd/site/trunk/docs/security/vulnerabilities_13.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_13.html?rev=426209&r1=426208&r2=426209&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_13.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_13.html Thu Jul 27 12:32:48 2006
@@ -80,6 +80,41 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+ <a name="1.3.37"><strong>Fixed in Apache httpd 1.3.37</strong></a>
+ </font>
+ </td></tr>
+ <tr><td>
+ <blockquote>
+<dl>
+<dd>
+<b>important: </b>
+<b>
+<name name="CVE-2006-3747">mod_rewrite off-by-one error</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747">CVE-2006-3747</a>
+<p>
+An off-by-one flaw exists in the Rewrite module, mod_rewrite.
+Depending on the manner in which Apache httpd was compiled, this
+software defect may result in a vulnerability which, in combination
+with certain types of Rewrite rules in the web server configuration
+files, could be triggered remotely. For vulnerable builds, the nature
+of the vulnerability can be denial of service (crashing of web server
+processes) or potentially allow arbitrary code execution.
+</p>
+</dd>
+<dd>
+ Update Released: 27th July 2006<br />
+</dd>
+<dd>
+<p />
+</dd>
+</dl>
+ </blockquote>
+ </td></tr>
+</table>
+ <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr><td bgcolor="#525D76">
+ <font color="#ffffff" face="arial,helvetica,sanserif">
<a name="1.3.35"><strong>Fixed in Apache httpd 1.3.35</strong></a>
</font>
</td></tr>
Modified: httpd/site/trunk/docs/security/vulnerabilities_20.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_20.html?rev=426209&r1=426208&r2=426209&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_20.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_20.html Thu Jul 27 12:32:48 2006
@@ -80,6 +80,42 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+ <a name="2.0.59"><strong>Fixed in Apache httpd 2.0.59</strong></a>
+ </font>
+ </td></tr>
+ <tr><td>
+ <blockquote>
+<dl>
+<dd>
+<b>important: </b>
+<b>
+<name name="CVE-2006-3747">mod_rewrite off-by-one error</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747">CVE-2006-3747</a>
+<p>
+An off-by-one flaw exists in the Rewrite module, mod_rewrite.
+Depending on the manner in which Apache httpd was compiled, this
+software defect may result in a vulnerability which, in combination
+with certain types of Rewrite rules in the web server configuration
+files, could be triggered remotely. For vulnerable builds, the nature
+of the vulnerability can be denial of service (crashing of web server
+processes) or potentially allow arbitrary code execution.
+</p>
+</dd>
+<dd>
+ Update Released: 27th July 2006<br />
+</dd>
+<dd>
+ Affects:
+ 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46<p />
+</dd>
+</dl>
+ </blockquote>
+ </td></tr>
+</table>
+ <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr><td bgcolor="#525D76">
+ <font color="#ffffff" face="arial,helvetica,sanserif">
<a name="2.0.58"><strong>Fixed in Apache httpd 2.0.58</strong></a>
</font>
</td></tr>
Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?rev=426209&r1=426208&r2=426209&view=diff
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html Thu Jul 27 12:32:48 2006
@@ -80,6 +80,42 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+ <a name="2.2.3"><strong>Fixed in Apache httpd 2.2.3</strong></a>
+ </font>
+ </td></tr>
+ <tr><td>
+ <blockquote>
+<dl>
+<dd>
+<b>important: </b>
+<b>
+<name name="CVE-2006-3747">mod_rewrite off-by-one error</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747">CVE-2006-3747</a>
+<p>
+An off-by-one flaw exists in the Rewrite module, mod_rewrite.
+Depending on the manner in which Apache httpd was compiled, this
+software defect may result in a vulnerability which, in combination
+with certain types of Rewrite rules in the web server configuration
+files, could be triggered remotely. For vulnerable builds, the nature
+of the vulnerability can be denial of service (crashing of web server
+processes) or potentially allow arbitrary code execution.
+</p>
+</dd>
+<dd>
+ Update Released: 27th July 2006<br />
+</dd>
+<dd>
+ Affects:
+ 2.2.2, 2.2.0<p />
+</dd>
+</dl>
+ </blockquote>
+ </td></tr>
+</table>
+ <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr><td bgcolor="#525D76">
+ <font color="#ffffff" face="arial,helvetica,sanserif">
<a name="2.2.2"><strong>Fixed in Apache httpd 2.2.2</strong></a>
</font>
</td></tr>
@@ -105,7 +141,7 @@
</dd>
<dd>
Affects:
- 2.2.0<p />
+ 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28<p />
</dd>
<dd>
<b>moderate: </b>
Modified: httpd/site/trunk/xdocs/security/vulnerabilities_22.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities_22.xml?rev=426209&r1=426208&r2=426209&view=diff
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities_22.xml (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities_22.xml Thu Jul 27 12:32:48 2006
@@ -19,6 +19,34 @@
these vulnerabilities to the <a href="/security_report.html">Security
Team</a>. </p>
</section>
+<section id="2.2.3">
+<title>Fixed in Apache httpd 2.2.3</title>
+<dl>
+<dd>
+<b>important: </b>
+<b>
+<name name="CVE-2006-3747">mod_rewrite off-by-one error</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747">CVE-2006-3747</a>
+<p>
+An off-by-one flaw exists in the Rewrite module, mod_rewrite.
+Depending on the manner in which Apache httpd was compiled, this
+software defect may result in a vulnerability which, in combination
+with certain types of Rewrite rules in the web server configuration
+files, could be triggered remotely. For vulnerable builds, the nature
+of the vulnerability can be denial of service (crashing of web server
+processes) or potentially allow arbitrary code execution.
+</p>
+</dd>
+<dd>
+ Update Released: 27th July 2006<br/>
+</dd>
+<dd>
+ Affects:
+ 2.2.2, 2.2.0<p/>
+</dd>
+</dl>
+</section>
<section id="2.2.2">
<title>Fixed in Apache httpd 2.2.2</title>
<dl>
@@ -41,7 +69,7 @@
</dd>
<dd>
Affects:
- 2.2.0<p/>
+ 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28<p/>
</dd>
<dd>
<b>moderate: </b>