You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/10/13 21:38:59 UTC

svn commit: r320890 - /httpd/httpd/dist/Announcement2.0.html

Author: wrowe
Date: Thu Oct 13 12:38:58 2005
New Revision: 320890

URL: http://svn.apache.org/viewcvs?rev=320890&view=rev
Log:

  Sync with Announcement2.0.txt

Modified:
    httpd/httpd/dist/Announcement2.0.html

Modified: httpd/httpd/dist/Announcement2.0.html
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement2.0.html?rev=320890&r1=320889&r2=320890&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.0.html (original)
+++ httpd/httpd/dist/Announcement2.0.html Thu Oct 13 12:38:58 2005
@@ -14,28 +14,88 @@
 >
 <img src="../../images/apache_sub.gif" alt="">
 
-<h1>Apache HTTP Server 2.0.54 Released</h1>
+<h1>Apache HTTP Server 2.0.55 Released</h1>
 
 <p>The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the release of version 2.0.54 of the Apache HTTP
+   pleased to announce the release of version 2.0.55 of the Apache HTTP
    Server ("Apache").  This Announcement notes the significant changes
-   in 2.0.54 as compared to 2.0.53.  This Announcement2.0 document may 
+   in 2.0.55 as compared to 2.0.54.  This Announcement2.0 document may 
    also be available in multiple languages at:</p>
 
-<ul>
-<li><a href="http://www.apache.org/dist/httpd/"
-     >http://www.apache.org/dist/httpd/</a></li>
-</ul>
+<dl>
+<dd><a href="http://www.apache.org/dist/httpd/"
+      >http://www.apache.org/dist/httpd/</a></dd>
+</dl>
+
+<p>This version of Apache is principally a security release.  The
+   following potential security flaws are addressed, the first three 
+   of which address several classes of HTTP Request and Response 
+   Splitting/Spoofing attacks;</p>
+
+<dl>
+<dt>CAN-2005-2088 (cve.mitre.org)</dt>
+
+ <dd>core: If a request contains both Transfer-Encoding and Content-Length
+     headers, remove the Content-Length.</dd>
+
+ <dd>proxy_http: Correctly handle the Transfer-Encoding and Content-Length
+     request headers.  Discard the request Content-Length whenever chunked
+     T-E is used, always passing one of either C-L or T-E chunked whenever 
+     the request includes a request body.</dd>
+
+<dt>Unassigned</dt>
+
+ <dd>proxy_http: If a response contains both Transfer-Encoding and a 
+     Content-Length, remove the Content-Length and don't reuse the
+     connection.</dd>
+
+<dt>CAN-2005-2700 (cve.mitre.org)</dt>
 
-<p>This version of Apache is principally a bug fix release.</p>
+ <dd>mod_ssl: Fix a security issue where "SSLVerifyClient" was not
+     enforced in per-location context if "SSLVerifyClient optional"
+     was configured in the vhost configuration.</dd>
+
+<dt>CAN-2005-2491 (cve.mitre.org)</dt>
+ 
+ <dd>pcre: Fix integer overflows in PCRE in quantifier parsing which 
+     could be triggered by a local user through use of a carefully
+     crafted regex in an .htaccess file.</dd>
+
+<dt>CAN-2005-2728 (cve.mitre.org)</dt>
+
+ <dd>Fix cases where the byterange filter would buffer responses
+     into memory.</dd>
+
+<dt>CAN-2005-1268 (cve.mitre.org)</dt>
+
+ <dd>mod_ssl: Fix off-by-one overflow whilst printing CRL information
+     at "LogLevel debug" which could be triggered if configured 
+     to use a "malicious" CRL.</dd>
+
+</dl>
+
+<p>The Apache HTTP Project thanks all of the reporters of these
+   issues and vulnerabilities for the responsible reporting and
+   thorough analysis of these vulnerabilities.</p>
+
+<p>This release further addresses a number of cross-platform bugs,
+   as well as specific issues on OS/X 10.4, Win32, AIX, and across
+   all EBCDIC platforms, and adds compatibility with OpenSSL 0.9.8.</p>
 
 <p>This release is compatible with modules compiled for 2.0.42 and later
    versions.  We consider this release to be the best version of Apache
    available and encourage users of all prior versions to upgrade.</p>
 
-<p>Apache 2.0.54 is available for download from</p>
+<p>This release includes the Apache Portable Runtime library suite
+   release version 0.9.7, bundled with the tar and zip distributions.
+   These libraries; libapr, libaprutil, and on Win32, libapriconv must
+   all be updated to ensure binary compatibility and address many
+   known platform bugs.</p>
+
+<p>Apache 2.0.55 is available for download from</p>
 <dl>
-  <dd><a href="http://httpd.apache.org/download.cgi">http://httpd.apache.org/download.cgi</a></dd>
+  <dd><a href="http://httpd.apache.org/download.cgi"
+        >http://httpd.apache.org/download.cgi</a></dd>
 </dl>
 
 <p>Please see the CHANGES_2.0 file, linked from the above page, for
@@ -45,17 +105,16 @@
    boosts over the 1.3 codebase.  For an overview of new features introduced
    after 1.3 please see</p>
 <dl>
-    <dd><a href="http://httpd.apache.org/docs-2.0/new_features_2_0.html">
-        http://httpd.apache.org/docs-2.0/new_features_2_0.html</a></dd>
+    <dd><a href="http://httpd.apache.org/docs-2.0/new_features_2_0.html"
+          >http://httpd.apache.org/docs-2.0/new_features_2_0.html</a></dd>
 </dl>
 
 <p>When upgrading or installing this version of Apache, please keep
-   in mind the following:</p>
-
-<p>If you intend to use Apache with one of the threaded MPMs, you must
-   ensure that the modules (and the libraries they depend on) that you
-   will be using are thread-safe.  Please contact the vendors of these
-   modules to obtain this information.</p>
+   in mind the following:  If you intend to use Apache with one of the 
+   threaded MPMs, you must ensure that the modules (and the libraries 
+   they depend on) that you will be using are thread-safe.  Please 
+   refer to the documentation of these modules and libraries to obtain 
+   this information.</p>
 
 </body>
 </html>