You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2010/02/02 10:38:32 UTC
svn commit: r56 - /release/httpd/
Author: colm
Date: Tue Feb 2 04:38:30 2010
New Revision: 56
Log:
Updating for apache 1.3.41 -> 1.3.42 , leaving the old tarballs in place for now, they'll be removed after the atomic release flip later.
Added:
release/httpd/CHANGES_1.3.42
release/httpd/apache_1.3.42.tar.Z (with props)
release/httpd/apache_1.3.42.tar.Z.asc
release/httpd/apache_1.3.42.tar.Z.md5
release/httpd/apache_1.3.42.tar.Z.sha1
release/httpd/apache_1.3.42.tar.gz (with props)
release/httpd/apache_1.3.42.tar.gz.asc
release/httpd/apache_1.3.42.tar.gz.md5
release/httpd/apache_1.3.42.tar.gz.sha1
Modified:
release/httpd/Announcement1.3
release/httpd/Announcement1.3.html
release/httpd/Announcement1.3.txt
release/httpd/CHANGES_1.3
Modified: release/httpd/Announcement1.3
==============================================================================
--- release/httpd/Announcement1.3 (original)
+++ release/httpd/Announcement1.3 Tue Feb 2 04:38:30 2010
@@ -1,36 +1,42 @@
- Apache HTTP Server 1.3.39 Released
+ Apache HTTP Server 1.3.42 Released
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 1.3.39 of the Apache HTTP
- Server ("Apache"). This Announcement notes the significant change in
- 1.3.39 as compared to 1.3.37 (1.3.38 was not released).
-
- This version of Apache is a security fix release only:
-
- * CVE-2006-5752 (cve.mitre.org)
- A possible XSS attack exist against a site with a public
- server-status page and ExtendedStatus enabled, for browsers which
- perform charset "detection". Reported by Stefan Esser.
-
- * CVE-2007-3304 (cve.mitre.org)
- The Apache parent process can be tricked into sending signals
- to non-Apache child processes. Please note that ability
- to exploit this issue is dependent on running untrusted 3rd party
- modules or untrusted server-side code.
+ pleased to announce the release of version 1.3.42 of the Apache HTTP
+ Server ("Apache"). This release is intended as the final release of
+ version 1.3 of the Apache HTTP Server, which has reached end of life
+ status.
+
+ There will be no more full releases of Apache HTTP Server 1.3.
+ However, critical security updates may be made available from the
+ following website:
+
+ http://www.apache.org/dist/httpd/patches/
+
+ Our thanks go to everyone who has helped make Apache HTTP Server 1.3
+ the most successful, and most used, webserver software on the planet!
+
+ This Announcement notes the significant changes in
+ 1.3.42 as compared to 1.3.41.
+
+ This version of Apache is is principally a bug and security fix release.
+ The following moderate security flaw has been addressed:
+
+ * CVE-2010-0010 (cve.mitre.org)
+ mod_proxy: Prevent chunk-size integer overflow on platforms
+ where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.
- Please see the CHANGES_1.3.39 file in this directory for a full list
+ Please see the CHANGES_1.3.42 file in this directory for a full list
of changes for this version.
- Apache 1.3.39 is the current stable release of the Apache 1.3 family. We
+ Apache 1.3.42 is the final stable release of the Apache 1.3 family. We
strongly recommend that users of all earlier versions, including 1.3
- family release, upgrade to to the current 2.2 version as soon as possible.
+ family releases, upgrade to to the current 2.2 version as soon as possible.
+ For information about how to upgrade, please see the documentation:
+
+ http://httpd.apache.org/docs/2.2/upgrading.html
- We recommend Apache 1.3.39 version for users who require a third party
- module that is not yet available as an Apache 2.x module. Modules compiled
- for Apache 2.x are not compatible with Apache 1.3, and modules compiled
- for Apache 1.3 are not compatible with Apache 2.x.
- Apache 1.3.39 is available for download from
+ Apache 1.3.42 is available for download from
http://httpd.apache.org/download.cgi
@@ -58,23 +64,17 @@
the main download pages for Apache 1.3. If absolutely necessary, a binary
may be available at http://archive.apache.org/dist/httpd/.
- Apache is the most popular web server in the known universe; about 2/3 of
- the servers on the Internet run Apache HTTP Server, or one of its
- variants.
-
-Apache 1.3.39 Major changes
+Apache 1.3.42 Major changes
Security vulnerabilities
- The main security vulnerabilities addressed in 1.3.39 are:
+ The main security vulnerabilities addressed in 1.3.42 are:
+
+ *) SECURITY: CVE-2010-0010 (cve.mitre.org)
+ mod_proxy: Prevent chunk-size integer overflow on platforms
+ where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.
+ Bugfixes addressed in 1.3.42 are:
- CVE-2006-5752 (cve.mitre.org)
- mod_status: Fix a possible XSS attack against a site with a public
- server-status page and ExtendedStatus enabled, for browsers which
- perform charset "detection". Reported by Stefan Esser.
-
- CVE-2007-3304 (cve.mitre.org)
- Ensure that the parent process cannot be forced to kill non-child
- processes by checking scoreboard PID data with parent process
- privately stored PID data.
+ *) Protect logresolve from mismanaged DNS records that return
+ blank/null hostnames.
Modified: release/httpd/Announcement1.3.html
==============================================================================
--- release/httpd/Announcement1.3.html (original)
+++ release/httpd/Announcement1.3.html Tue Feb 2 04:38:30 2010
@@ -15,61 +15,46 @@
<IMG SRC="../../images/apache_sub.gif" ALT="">
-<h1>Apache HTTP Server 1.3.41 Released</h1>
-
-<p>The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 1.3.41 of the Apache HTTP
- Server ("Apache"). This Announcement notes the significant changes
- in 1.3.41 as compared to 1.3.39 (1.3.40 was not released).</p>
+<h1>Apache HTTP Server 1.3.42 Released</h1>
-<p>This version of Apache is a security fix release only.</p>
-
-<ul>
-<li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388">CVE-2007-6388:</a>
-mod_status: Ensure refresh parameter is numeric to prevent
-a possible XSS attack caused by redirecting to other URLs.
-Reported by SecurityReason.
-<br />
-A flaw was found in the mod_status module. On sites where mod_status is
-enabled and the status pages were publicly accessible, a cross-site
-scripting attack is possible.
-Note that the server-status page is not enabled by default and it is best
-practice to not make this publicly available.
-</li>
-
-<li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000">CVE-2007-5000:</a>
-mod_imap: Fix cross-site scripting issue. Reported by JPCERT.
-<br />
-A flaw was found in the mod_imap module. On sites where
-mod_imap is enabled and an imagemap file is publicly available, a
-cross-site scripting attack is possible.</li>
-
-<li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847">CVE-2007-3847:</a>
-mod_proxy: Prevent reading past the end of a buffer when parsing
-date-related headers. PR 41144.
-With Apache 1.3, the denial of service vulnerability applies only
-to the Windows and NetWare platforms.
-</li>
-
-</ul>
-
-<p>Please note that ability to exploit this issue is dependent on running
-untrusted 3rd party modules or untrusted server-side code.</p>
+<p>
+ The Apache Software Foundation and the Apache HTTP Server Project are
+ pleased to announce the release of version 1.3.42 of the Apache HTTP
+ Server ("Apache"). This release is intended as the final release of
+ version 1.3 of the Apache HTTP Server, which has reached end of life
+ status.</p>
+
+<p>There will be no more full releases of Apache HTTP Server 1.3.
+ However, critical security updates may be made available from the
+ following website:</p>
+
+<p><a href="http://www.apache.org/dist/httpd/patches/">http://www.apache.org/dist/httpd/patches/</a></p>
+
+<p>Our thanks go to everyone who has helped make Apache HTTP Server 1.3
+ the most successful, and most used, webserver software on the planet!</p>
+
+<p>This Announcement notes the significant changes in 1.3.42 as compared to
+1.3.41.</p>
+
+<p>This version of Apache is is principally a bug and security fix release.
+The following moderate security flaw has been addressed:</p>
+
+<ul><li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0010">CVE-2010-0010:</a>
+mod_proxy: Prevent chunk-size integer overflow on platforms
+where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.</li></ul>
+
+<p>Please see the CHANGES_1.3.42 file in this directory for a full list
+of changes for this version.</p>
+
+<p>Apache 1.3.42 is the final stable release of the Apache 1.3 family. We
+ strongly recommend that users of all earlier versions, including 1.3
+ family releases, upgrade to to the current 2.2 version as soon as possible.
+ For information about how to upgrade, please see the documentation:</p>
-<p>Apache 1.3.41 is the current stable release of the Apache 1.3 family.
- We strongly recommend that users of all earlier versions, including
- 1.3 family release, upgrade to to the current 2.2 version as soon
- as possible.</p>
-
-<p>We recommend Apache 1.3.41 version for users who require a third party
- module that is not yet available as an Apache 2.x module. Modules
- compiled for Apache 2.x are not compatible with Apache 1.3, and modules
- compiled for Apache 1.3 are not compatible with Apache 2.x.</p>
+<dl><dd><a href="http://httpd.apache.org/docs/2.2/upgrading.html"
+ >http://httpd.apache.org/docs/2.2/upgrading.html</a></dd>
-<p>Apache 1.3.41 is available for download from</p>
+<p>Apache 1.3.42 is available for download from</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi"
>http://httpd.apache.org/download.cgi</a></dd>
@@ -77,8 +62,8 @@
</dl>
<p>Please see the CHANGES_1.3 file, linked from the above page, for
- a full list of changes. A condensed list, CHANGES_1.3.41 provides
- the complete list of changes since 1.3.39.</p>
+ a full list of changes. A condensed list, CHANGES_1.3.42 provides
+ the complete list of changes since 1.3.41.</p>
<p>This service utilizes the network of mirrors listed at:</p>
<dl>
@@ -113,28 +98,17 @@
of the servers on the Internet run Apache HTTP Server, or one of its
variants.</p>
-<h2>Apache 1.3.41 Major changes</h2>
+<h2>Apache 1.3.42 Major changes</h2>
<h3>Security vulnerabilities</h3>
<p>
- The main security vulnerabilities addressed in 1.3.41 are:
+ The main security vulnerabilities addressed in 1.3.42 are:
</p>
<dl>
-<dt>CVE-2007-6388 (cve.mitre.org)</dt>
-<dd>mod_status: Ensure refresh parameter is numeric to prevent
- a possible XSS attack caused by redirecting to other URLs.
- Reported by SecurityReason.</dd>
-
-<dt>CVE-2007-5000 (cve.mitre.org)</dt>
-<dd>mod_imap: Fix cross-site scripting issue. Reported by JPCERT.</dd>
-
-<dt>CVE-2007-3847 (cve.mitre.org)</dt>
-<dd>mod_proxy: Prevent reading past the end of a buffer when parsing
- date-related headers. PR 41144.
- With Apache 1.3, the denial of service vulnerability applies only
- to the Windows and NetWare platforms.</dd>
-
+<dt>CVE-2010-0010 (cve.mitre.org)</dt>
+<dd>mod_proxy: Prevent chunk-size integer overflow on platforms
+where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.</dd>
</dl>
<!--
<h3>New features</h3>
@@ -151,13 +125,15 @@
<li>None</li>
</ul>
<p>
+-->
<h3>Bugs fixed</h3>
<p>
- The following bugs were found in Apache 1.3.39 (or earlier) and have been fixed in
- Apache 1.3.41:
+ The following bugs were found in Apache 1.3.41 (or earlier) and have been fixed in
+ Apache 1.3.42:
</p>
<ul>
+ <li> Protect logresolve from mismanaged DNS records that return
+ blank/null hostnames</li>
</ul>
--->
</BODY>
</HTML>
Modified: release/httpd/Announcement1.3.txt
==============================================================================
--- release/httpd/Announcement1.3.txt (original)
+++ release/httpd/Announcement1.3.txt Tue Feb 2 04:38:30 2010
@@ -1,50 +1,42 @@
- Apache HTTP Server 1.3.41 Released
+ Apache HTTP Server 1.3.42 Released
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 1.3.41 of the Apache HTTP
- Server ("Apache"). This Announcement notes the significant changes in
- 1.3.41 as compared to 1.3.39 (1.3.40 was not released).
+ pleased to announce the release of version 1.3.42 of the Apache HTTP
+ Server ("Apache"). This release is intended as the final release of
+ version 1.3 of the Apache HTTP Server, which has reached end of life
+ status.
+
+ There will be no more full releases of Apache HTTP Server 1.3.
+ However, critical security updates may be made available from the
+ following website:
+
+ http://www.apache.org/dist/httpd/patches/
+
+ Our thanks go to everyone who has helped make Apache HTTP Server 1.3
+ the most successful, and most used, webserver software on the planet!
+
+ This Announcement notes the significant changes in
+ 1.3.42 as compared to 1.3.41.
This version of Apache is is principally a bug and security fix release.
- The following potential security flaws are addressed:
+ The following moderate security flaw has been addressed:
- * CVE-2007-6388 (cve.mitre.org)
- mod_status: Ensure refresh parameter is numeric to prevent
- a possible XSS attack caused by redirecting to other URLs.
- Reported by SecurityReason.
-
- A flaw was found in the mod_status module. On sites where mod_status
- is enabled and the status pages were publicly accessible, a
- cross-site scripting attack is possible. Note that the server-status
- page is not enabled by default and it is best practice to not make
- this publicly available.
-
- * CVE-2007-5000 (cve.mitre.org)
- mod_imap: Fix cross-site scripting issue. Reported by JPCERT.
-
- A flaw was found in the mod_imap module. On sites where
- mod_imap is enabled and an imagemap file is publicly available, a
- cross-site scripting attack is possible.
-
- * CVE-2007-3847 (cve.mitre.org)
- mod_proxy: Prevent reading past the end of a buffer when parsing
- date-related headers. PR 41144.
- With Apache 1.3, the denial of service vulnerability applies only
- to the Windows and NetWare platforms.
+ * CVE-2010-0010 (cve.mitre.org)
+ mod_proxy: Prevent chunk-size integer overflow on platforms
+ where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.
- Please see the CHANGES_1.3.41 file in this directory for a full list
+ Please see the CHANGES_1.3.42 file in this directory for a full list
of changes for this version.
- Apache 1.3.41 is the current stable release of the Apache 1.3 family. We
+ Apache 1.3.42 is the final stable release of the Apache 1.3 family. We
strongly recommend that users of all earlier versions, including 1.3
- family release, upgrade to to the current 2.2 version as soon as possible.
+ family releases, upgrade to to the current 2.2 version as soon as possible.
+ For information about how to upgrade, please see the documentation:
+
+ http://httpd.apache.org/docs/2.2/upgrading.html
- We recommend Apache 1.3.41 version for users who require a third party
- module that is not yet available as an Apache 2.x module. Modules compiled
- for Apache 2.x are not compatible with Apache 1.3, and modules compiled
- for Apache 1.3 are not compatible with Apache 2.x.
- Apache 1.3.41 is available for download from
+ Apache 1.3.42 is available for download from
http://httpd.apache.org/download.cgi
@@ -72,34 +64,17 @@
the main download pages for Apache 1.3. If absolutely necessary, a binary
may be available at http://archive.apache.org/dist/httpd/.
- Apache is the most popular web server in the known universe; about 2/3 of
- the servers on the Internet run Apache HTTP Server, or one of its
- variants.
-
-Apache 1.3.41 Major changes
+Apache 1.3.42 Major changes
Security vulnerabilities
- The main security vulnerabilities addressed in 1.3.41 are:
+ The main security vulnerabilities addressed in 1.3.42 are:
+
+ *) SECURITY: CVE-2010-0010 (cve.mitre.org)
+ mod_proxy: Prevent chunk-size integer overflow on platforms
+ where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.
+
+ Bugfixes addressed in 1.3.42 are:
- CVE-2007-6388 (cve.mitre.org)
- mod_status: Ensure refresh parameter is numeric to prevent
- a possible XSS attack caused by redirecting to other URLs.
- Reported by SecurityReason.
-
- CVE-2007-5000 (cve.mitre.org)
- mod_imap: Fix cross-site scripting issue. Reported by JPCERT.
-
- CVE-2007-3847 (cve.mitre.org)
- mod_proxy: Prevent reading past the end of a buffer when parsing
- date-related headers. PR 41144.
- With Apache 1.3, the denial of service vulnerability applies only
- to the Windows and NetWare platforms.
-
- Bugfixes addressed in 1.3.41 are:
-
- More efficient implementation of the CVE-2007-3304 PID table
- patch. This fixes issues with excessive memory usage by the
- parent process if long-running and with a high number of child
- process forks during that timeframe. Also fixes bogus "Bad pid"
- errors.
+ *) Protect logresolve from mismanaged DNS records that return
+ blank/null hostnames.
Modified: release/httpd/CHANGES_1.3
==============================================================================
--- release/httpd/CHANGES_1.3 (original)
+++ release/httpd/CHANGES_1.3 Tue Feb 2 04:38:30 2010
@@ -1,3 +1,33 @@
+Changes with Apache 1.3.42
+
+ *) SECURITY: CVE-2010-0010 (cve.mitre.org)
+ mod_proxy: Prevent chunk-size integer overflow on platforms
+ where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.
+ [Colm MacCárthaigh]
+
+ *) IMPORTANT: This is the final release of Apache httpd 1.3.
+ Apache httpd 1.3 has reached end of life, as of January 2010.
+ No further releases of this software will be made, although critical
+ security updates may be made available as patches from the following
+ website:
+
+ http://www.apache.org/dist/httpd/patches/
+
+ Apache 1.3.x users who wish to avail of security releases,
+ bug-fixes and community support are advised to use Apache 2.2
+ or higher.
+
+ Information on upgrading is available from the following website:
+
+ http://httpd.apache.org/docs/2.2/upgrading.html
+
+ Thank you to everyone who helped make Apache 1.3.x the most
+ successful, and most used, webserver software on the planet!
+ [Apache httpd group]
+
+ *) Protect logresolve from mismanaged DNS records that return
+ blank/null hostnames. [Jim Jagielski]
+
Changes with Apache 1.3.41
*) SECURITY: CVE-2007-6388 (cve.mitre.org)
@@ -233,7 +263,7 @@
*) Some syntax errors in mod_mime_magic's magic file can result
in a 500 error, which previously was unlogged. Now we log the
- error. [Jeff Trawick]
+ error. PR 8329. [Jeff Trawick]
*) Linux 2.4+: If Apache is started as root and you code
CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
Added: release/httpd/CHANGES_1.3.42
==============================================================================
--- release/httpd/CHANGES_1.3.42 (added)
+++ release/httpd/CHANGES_1.3.42 Tue Feb 2 04:38:30 2010
@@ -0,0 +1,29 @@
+Changes with Apache 1.3.42
+
+ *) SECURITY: CVE-2010-0010 (cve.mitre.org)
+ mod_proxy: Prevent chunk-size integer overflow on platforms
+ where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.
+ [Colm MacCárthaigh]
+
+ *) IMPORTANT: This is the final release of Apache httpd 1.3.
+ Apache httpd 1.3 has reached end of life, as of January 2010.
+ No further releases of this software will be made, although critical
+ security updates may be made available as patches from the following
+ website:
+
+ http://www.apache.org/dist/httpd/patches/
+
+ Apache 1.3.x users who wish to avail of security releases,
+ bug-fixes and community support are advised to use Apache 2.2
+ or higher.
+
+ Information on upgrading is available from the following website:
+
+ http://httpd.apache.org/docs/2.2/upgrading.html
+
+ Thank you to everyone who helped make Apache 1.3.x the most
+ successful, and most used, webserver software on the planet!
+ [Apache httpd group]
+
+ *) Protect logresolve from mismanaged DNS records that return
+ blank/null hostnames. [Jim Jagielski]
Added: release/httpd/apache_1.3.42.tar.Z
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/apache_1.3.42.tar.Z
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: release/httpd/apache_1.3.42.tar.Z.asc
==============================================================================
--- release/httpd/apache_1.3.42.tar.Z.asc (added)
+++ release/httpd/apache_1.3.42.tar.Z.asc Tue Feb 2 04:38:30 2010
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.6 (GNU/Linux)
+
+iD8DBQBLYLXldcqio/ObN1ARAt/QAKClWQ/QczelwJbWe2mMMlc0MyRuWwCfZC2a
+hJaPars3D1i3XmMeG3StsH4=
+=nSO4
+-----END PGP SIGNATURE-----
Added: release/httpd/apache_1.3.42.tar.Z.md5
==============================================================================
--- release/httpd/apache_1.3.42.tar.Z.md5 (added)
+++ release/httpd/apache_1.3.42.tar.Z.md5 Tue Feb 2 04:38:30 2010
@@ -0,0 +1 @@
+9afc0e9ae943b3c7a6cffe79bf0c4aaa apache_1.3.42.tar.Z
Added: release/httpd/apache_1.3.42.tar.Z.sha1
==============================================================================
--- release/httpd/apache_1.3.42.tar.Z.sha1 (added)
+++ release/httpd/apache_1.3.42.tar.Z.sha1 Tue Feb 2 04:38:30 2010
@@ -0,0 +1 @@
+3fdc1807c71e63bc5b54fc8d2465cbaf0ac3be74 apache_1.3.42.tar.Z
Added: release/httpd/apache_1.3.42.tar.gz
==============================================================================
Binary file - no diff available.
Propchange: release/httpd/apache_1.3.42.tar.gz
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: release/httpd/apache_1.3.42.tar.gz.asc
==============================================================================
--- release/httpd/apache_1.3.42.tar.gz.asc (added)
+++ release/httpd/apache_1.3.42.tar.gz.asc Tue Feb 2 04:38:30 2010
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.6 (GNU/Linux)
+
+iD8DBQBLYLXadcqio/ObN1ARAu9tAJ0Wsc2cClhTBQqrjo6iSkhuGOQ22wCg1zSK
+/CIsm8T/1Tn5h9xVJU+192k=
+=mbyG
+-----END PGP SIGNATURE-----
Added: release/httpd/apache_1.3.42.tar.gz.md5
==============================================================================
--- release/httpd/apache_1.3.42.tar.gz.md5 (added)
+++ release/httpd/apache_1.3.42.tar.gz.md5 Tue Feb 2 04:38:30 2010
@@ -0,0 +1 @@
+b76695ec68f9f8b512c9415fc69c1019 apache_1.3.42.tar.gz
Added: release/httpd/apache_1.3.42.tar.gz.sha1
==============================================================================
--- release/httpd/apache_1.3.42.tar.gz.sha1 (added)
+++ release/httpd/apache_1.3.42.tar.gz.sha1 Tue Feb 2 04:38:30 2010
@@ -0,0 +1 @@
+b3f8575d855132bc243d79af59ae2a318e7e2c53 apache_1.3.42.tar.gz