You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ma...@hyperreal.org on 1998/07/15 08:51:59 UTC
cvs commit: apache-1.3 Announcement
marc 98/07/14 23:51:59
Modified: . Announcement
Log:
Make up something resembling a 1.3.1 announcement. Comments or
{ap|dis}proval please. Still needs to be reviewed, but get what
I have now in for comment.
Revision Changes Path
1.31 +68 -28 apache-1.3/Announcement
Index: Announcement
===================================================================
RCS file: /export/home/cvs/apache-1.3/Announcement,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- Announcement 1998/07/12 09:45:47 1.30
+++ Announcement 1998/07/15 06:51:58 1.31
@@ -1,31 +1,71 @@
+Apache 1.3.1 Released
+=====================
- Apache 1.3.1 Released
- =====================
+The Apache Group is pleased to announce the release of version 1.3.1
+of the Apache HTTP server.
- The Apache Group is pleased to announce the release of the 1.3.1 version
- of the Apache HTTP server. This is mainly a bugfix release.
+The changes in this release consist of UNIX portability fixes, Win32
+security issues, and assorted other minor features or fixes.
- Apache 1.3.1 is the most stable version of Apache currently available;
- everyone running 1.2.X servers or earlier should upgrade to 1.3, as we
- will stop providing support for the 1.2.X tree, though we may make a
- release of 1.2.7. At present, the Win95/NT port of Apache is not
- as stable as the UNIX version. Further releases of the 1.3.x tree
- will bring the Win95/NT port closer to parity.
-
- To grab the latest Apache distribution, check out
- http://www.apache.org/dist/
- and the huge list of available "International Mirror Sites" at
- http://www.apache.org/mirrors/
-
- For an overview of new features in 1.3 please read see
-
- http://www.apache.org/docs/new_features_1_3.html
-
- In general, Apache 1.3.0 offers several substantial improvements
- over previous versions, including better performance, reliability
- and a wider-range of supported platforms, including Windows95 and
- NT.
-
- Apache is the most popular web-server in the known universe; over
- half of the servers on the Internet are running Apache or one of its
- variants.
+WE URGE ALL USERS RUNNING ANY PREVIOUS VERSION OF APACHE ON WIN32
+TO UPGRADE IMMEDIATELY.
+
+Users on other platforms should review the CHANGES file and decide
+on their upgrade plans; the security issues apply only to Apache
+on Win32.
+
+Apache 1.3.1 is available for download from
+
+ http://www.apache.org/dist/
+
+Please see the CHANGES file in the same directory for a full list of
+changes. The distribution is also available via any of the mirrors
+listed at
+
+ http://www.apache.org/mirrors/
+
+For an overview of new features in 1.3 please see
+
+ http://www.apache.org/docs/new_features_1_3.html
+
+In general, Apache 1.3 offers several substantial improvements
+over version 1.2, including better performance, reliability
+and a wider-range of supported platforms, including Windows 95 and
+NT.
+
+Apache is the most popular web-server in the known universe; over
+half of the servers on the Internet are running Apache or one of its
+variants.
+
+IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have
+come to trust Apache as a secure and stable server. It must
+be realized that the current Win32 code has not yet reached these
+levels and should still be considered to be of beta quality. Any
+Win32 stability or security problems do not impact, in any way,
+Apache on other platforms. With the continued donation of time
+and resources by individuals and companies, we hope that the Win32
+version of Apache will grow stronger through the 1.3.x release
+cycle.
+
+Versions of Apache on Win32 prior to version 1.3.1 are vulnerable
+to a number of security holes common to several Win32 servers.
+The problems that impact Apache include:
+
+ - trailing "."s are ignored by the file system. This allowed
+ certain types of access restrictions to be bypassed.
+ - directory names of three or more dots (eg. "...") are
+ considered to be valid similar to "..". This allowed people
+ to gain access to files outside of the configured document
+ trees.
+
+There have been at least four other similar instances of the same
+basic problem: on Win32, there is more than one name for a file.
+Some of these names are poorly documented or undocumented, and even
+Microsoft's own IIS has been vulnerable to many of these problems.
+This behavior of the Win32 file system and API makes it very difficult
+to insure future security; problems of this type have been known
+about for years, however each specific instance has been discovered
+individually. It is unknown if there are other, yet unpublicized,
+filename variants. As a result, we recommend that you use extreme
+caution when dealing with access restrictions on all Win32 web
+servers.