You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2004/09/15 15:25:04 UTC

cvs commit: httpd-dist Announcement2.html

jorton      2004/09/15 06:25:04

  Modified:    .        Announcement2.html
  Log:
  Convert to HTML.
  
  Revision  Changes    Path
  1.48      +38 -24    httpd-dist/Announcement2.html
  
  Index: Announcement2.html
  ===================================================================
  RCS file: /home/cvs/httpd-dist/Announcement2.html,v
  retrieving revision 1.47
  retrieving revision 1.48
  diff -d -w -u -r1.47 -r1.48
  --- Announcement2.html	1 Jul 2004 16:55:41 -0000	1.47
  +++ Announcement2.html	15 Sep 2004 13:25:03 -0000	1.48
  @@ -14,44 +14,58 @@
   >
   <img src="../../images/apache_sub.gif" alt="">
   
  -<h1>Apache HTTP Server 2.0.50 Released</h1>
  +<h1>Apache HTTP Server 2.0.51 Released</h1>
   
   <p>The Apache Software Foundation and the  The Apache HTTP Server Project are
  -   pleased to announce the release of version 2.0.50 of the Apache HTTP
  +   pleased to announce the release of version 2.0.51 of the Apache HTTP
      Server ("Apache").  This Announcement notes the significant changes
  -   in 2.0.50 as compared to 2.0.49. The Announcement is also available in
  -   German and Japanese from:</p>
  +   in 2.0.51 as compared to 2.0.50.</p>
   
  -<dl>
  -  <dd><a href="http://www.apache.org/dist/httpd/Announcement2.html.de"
  -    >http://www.apache.org/dist/httpd/Announcement2.html.de</a></dd>
  -  <dd><a href="http://www.apache.org/dist/httpd/Announcement2.html.ja"
  -    >http://www.apache.org/dist/httpd/Announcement2.html.ja</a></dd>
  -</dl>
  +<p>This version of Apache is principally a bug fix release.  Of
  +   particular note is that 2.0.51 addresses five security
  +   vulnerabilities:</p>
   
  -<p>This version of Apache is principally a bug fix release.  A summary of
  -   the bug fixes is given at the end of this document.  Of particular
  -   note is that 2.0.50 addresses two security vulnerabilities:</p>
  +<p>An input validation issue in IPv6 literal address parsing which
  +   can result in a negative length parameter being passed to memcpy.<br>
  +   <code>[<a
  +   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786"
  +   >CAN-2004-0786</a>]</code></p>
   
  -<p>A remotely triggered memory leak in http header parsing can allow a
  -   denial of service attack due to excessive memory consumption.<br>
  +<p>A buffer overflow in configuration file parsing could allow a
  +   local user to gain the privileges of a httpd child if the server
  +   can be forced to parse a carefully crafted .htaccess file.<br>
      <code>[<a
  -   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493"
  -   >CAN-2004-0493</a>]</code></p>
  +   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747"
  +   >CAN-2004-0747</a>]</code></p>
   
  +<p>A segfault in mod_ssl which can be triggered by a malicious
  +   remote server, if proxying to SSL servers has been configured.<br>
  +   <code>[<a
  +   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751"
  +   >CAN-2004-0751</a>]</code></p>
   
  -<p>Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a
  -   (trusted) client certificate subject DN which exceeds 6K in length.<br>
  +<p>A potential infinite loop in mod_ssl which could be triggered 
  +   given particular timing of a connection abort.<br>
      <code>[<a 
  -   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488"
  -   >CAN-2004-0488</a>]</code></p>
  +   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748"
  +   >CAN-2004-0748</a>]</code></p>
  +
  +<p>A segfault in mod_dav_fs which can be remotely triggered by an
  +   indirect lock refresh request.<br>
  +   <code>[<a
  +   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809"
  +   >CAN-2004-0809</a>]</code></p>
   
  +<p>The Apache HTTP Server Project would like to thank Codenomicon for
  +   supplying copies of their "HTTP Test Tool" used to discover
  +   CAN-2004-0786, and to SITIC for reporting the discovery of
  +   CAN-2004-0747.</p>
   
   <p>This release is compatible with modules compiled for 2.0.42 and later
      versions.  We consider this release to be the best version of Apache
      available and encourage users of all prior versions to upgrade.</p>
      
  -<p>Apache 2.0.50 is available for download from</p>
  +<p>Apache 2.0.51 is available for download from</p>
   <dl>
     <dd><a href="http://httpd.apache.org/download.cgi">http://httpd.apache.org/download.cgi</a></dd>
   </dl>