You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2017/10/05 18:40:20 UTC
svn commit: r22132 - in /dev/httpd: Announcement2.4.html Announcement2.4.txt
Author: wrowe
Date: Thu Oct 5 18:40:19 2017
New Revision: 22132
Log:
Wordsmith CVE description, datestamp and prepare to announce
Modified:
dev/httpd/Announcement2.4.html
dev/httpd/Announcement2.4.txt
Modified: dev/httpd/Announcement2.4.html
==============================================================================
--- dev/httpd/Announcement2.4.html (original)
+++ dev/httpd/Announcement2.4.html Thu Oct 5 18:40:19 2017
@@ -52,7 +52,7 @@
Apache HTTP Server 2.4.28 Released
</h1>
<p>
- XXXX XX, 2017
+ October 5, 2017
</p>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
@@ -91,10 +91,11 @@
Of particular note in this release is 1 SECURITY item:
</p>
<ul>
- <li>SECURITY: CVE-2017-9798 (cve.mitre.org).<br/>
- Corrupted or freed memory access. <Limit[Except]> must now be used in
- the main configuration file (httpd.conf) to register HTTP methods
- before the .htaccess files.
+ <li>SECURITY: CVE-2017-9798 (cve.mitre.org)<br/>
+ Corrupted or freed memory access. <Limit[Except]> or the
+ RegisterHttpMethod directive must be given in the startup
+ configuration (httpd.conf) to register non-standard HTTP methods
+ before listing them in an .htaccess files.
</li>
</ul>
<p>
@@ -132,7 +133,7 @@ href="https://svn.apache.org/repos/asf/h
Please note that while the Apache HTTP Server Project may publish some
security patches to the 2.2.x flavor through at least December of 2017,
no further maintenance patches of 2.2.x will be considered and no further
- releases will be distributed. The 2.2.x branch is now reached the end of
+ releases will be distributed. The 2.2.x branch has now reached the end of
its maintenance, and users are strongly encouraged to promptly complete
their transitions to this 2.4.x flavor of httpd to benefit from security
and bug fixes, as well as new features.
Modified: dev/httpd/Announcement2.4.txt
==============================================================================
--- dev/httpd/Announcement2.4.txt (original)
+++ dev/httpd/Announcement2.4.txt Thu Oct 5 18:40:19 2017
@@ -1,6 +1,6 @@
Apache HTTP Server 2.4.28 Released
- XXXX XX, 2017
+ October 5, 2017
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.28 of the Apache
@@ -31,12 +31,13 @@
http://httpd.apache.org/security/vulnerabilities_24.html
- Of particular note in this release is 1 SECURITY :
+ Of particular note in this release is 1 SECURITY item:
- o SECURITY: CVE-2017-9798 (cve.mitre.org).
- Corrupted or freed memory access. <Limit[Except]> must now be used in
- the main configuration file (httpd.conf) to register HTTP methods
- before the .htaccess files.
+ o SECURITY: CVE-2017-9798 (cve.mitre.org)
+ Corrupted or freed memory access. <Limit[Except] > or the
+ RegisterHttpMethod directive must be given in the startup
+ configuration (httpd.conf) to register non-standard HTTP methods
+ before listing them in an .htaccess files.
This release requires the Apache Portable Runtime (APR), minimum
version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
@@ -57,7 +58,7 @@
Please note that while the Apache HTTP Server Project may publish some
security patches to the 2.2.x flavor through at least December of 2017,
no further maintenance patches of 2.2.x will be considered and no further
- releases will be distributed. The 2.2.x branch is now reached the end of
+ releases will be distributed. The 2.2.x branch has now reached the end of
its maintenance, and users are strongly encouraged to promptly complete
their transitions to this 2.4.x flavor of httpd to benefit from security
and bug fixes, as well as new features.