You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ma...@hyperreal.org on 1998/07/15 08:51:59 UTC

cvs commit: apache-1.3 Announcement

marc        98/07/14 23:51:59

  Modified:    .        Announcement
  Log:
  Make up something resembling a 1.3.1 announcement.  Comments or
  {ap|dis}proval please.  Still needs to be reviewed, but get what
  I have now in for comment.
  
  Revision  Changes    Path
  1.31      +68 -28    apache-1.3/Announcement
  
  Index: Announcement
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/Announcement,v
  retrieving revision 1.30
  retrieving revision 1.31
  diff -u -r1.30 -r1.31
  --- Announcement	1998/07/12 09:45:47	1.30
  +++ Announcement	1998/07/15 06:51:58	1.31
  @@ -1,31 +1,71 @@
  +Apache 1.3.1 Released
  +=====================
   
  - Apache 1.3.1 Released
  - =====================
  +The Apache Group is pleased to announce the release of version 1.3.1 
  +of the Apache HTTP server.  
   
  - The Apache Group is pleased to announce the release of the 1.3.1 version
  - of the Apache HTTP server. This is mainly a bugfix release.
  +The changes in this release consist of UNIX portability fixes, Win32
  +security issues, and assorted other minor features or fixes.  
   
  - Apache 1.3.1 is the most stable version of Apache currently available;
  - everyone running 1.2.X servers or earlier should upgrade to 1.3, as we
  - will stop providing support for the 1.2.X tree, though we may make a
  - release of 1.2.7. At present, the Win95/NT port of Apache is not
  - as stable as the UNIX version. Further releases of the 1.3.x tree
  - will bring the Win95/NT port closer to parity.
  -
  - To grab the latest Apache distribution, check out
  -     http://www.apache.org/dist/
  - and the huge list of available "International Mirror Sites" at
  -     http://www.apache.org/mirrors/
  -
  - For an overview of new features in 1.3 please read see
  -
  -     http://www.apache.org/docs/new_features_1_3.html
  -
  - In general, Apache 1.3.0 offers several substantial improvements
  - over previous versions, including better performance, reliability
  - and a wider-range of supported platforms, including Windows95 and
  - NT.
  -
  - Apache is the most popular web-server in the known universe; over
  - half of the servers on the Internet are running Apache or one of its
  - variants.
  +WE URGE ALL USERS RUNNING ANY PREVIOUS VERSION OF APACHE ON WIN32
  +TO UPGRADE IMMEDIATELY.
  +
  +Users on other platforms should review the CHANGES file and decide
  +on their upgrade plans; the security issues apply only to Apache
  +on Win32.
  +
  +Apache 1.3.1 is available for download from
  +
  +	http://www.apache.org/dist/
  +
  +Please see the CHANGES file in the same directory for a full list of 
  +changes.  The distribution is also available via any of the mirrors
  +listed at
  +
  +	http://www.apache.org/mirrors/
  +
  +For an overview of new features in 1.3 please see
  +
  +	http://www.apache.org/docs/new_features_1_3.html
  +
  +In general, Apache 1.3 offers several substantial improvements
  +over version 1.2, including better performance, reliability
  +and a wider-range of supported platforms, including Windows 95 and
  +NT.
  +
  +Apache is the most popular web-server in the known universe; over
  +half of the servers on the Internet are running Apache or one of its
  +variants.
  +
  +IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have
  +come to trust Apache as a secure and stable server.  It must
  +be realized that the current Win32 code has not yet reached these
  +levels and should still be considered to be of beta quality.  Any
  +Win32 stability or security problems do not impact, in any way,
  +Apache on other platforms.  With the continued donation of time
  +and resources by individuals and companies, we hope that the Win32
  +version of Apache will grow stronger through the 1.3.x release
  +cycle.
  +
  +Versions of Apache on Win32 prior to version 1.3.1 are vulnerable
  +to a number of security holes common to several Win32 servers.
  +The problems that impact Apache include:
  +
  +	- trailing "."s are ignored by the file system.  This allowed
  +	  certain types of access restrictions to be bypassed.
  +	- directory names of three or more dots (eg. "...") are
  +    	  considered to be valid similar to "..".  This allowed people
  +	  to gain access to files outside of the configured document
  +	  trees.
  +
  +There have been at least four other similar instances of the same
  +basic problem: on Win32, there is more than one name for a file.
  +Some of these names are poorly documented or undocumented, and even
  +Microsoft's own IIS has been vulnerable to many of these problems.
  +This behavior of the Win32 file system and API makes it very difficult
  +to insure future security; problems of this type have been known
  +about for years, however each specific instance has been discovered
  +individually.  It is unknown if there are other, yet unpublicized,
  +filename variants.  As a result, we recommend that you use extreme
  +caution when dealing with access restrictions on all Win32 web
  +servers.