You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2015/10/09 19:38:57 UTC
svn commit: r10757 [1/3] - /dev/httpd/
Author: jim
Date: Fri Oct 9 17:38:56 2015
New Revision: 10757
Log:
Preload 2.4.17 test tarballs.
Added:
dev/httpd/CHANGES_2.4
dev/httpd/CHANGES_2.4.17
dev/httpd/httpd-2.4.17-deps.tar.bz2 (with props)
dev/httpd/httpd-2.4.17-deps.tar.bz2.asc (with props)
dev/httpd/httpd-2.4.17-deps.tar.bz2.md5
dev/httpd/httpd-2.4.17-deps.tar.bz2.sha1
dev/httpd/httpd-2.4.17-deps.tar.gz (with props)
dev/httpd/httpd-2.4.17-deps.tar.gz.asc (with props)
dev/httpd/httpd-2.4.17-deps.tar.gz.md5
dev/httpd/httpd-2.4.17-deps.tar.gz.sha1
dev/httpd/httpd-2.4.17.tar.bz2 (with props)
dev/httpd/httpd-2.4.17.tar.bz2.asc (with props)
dev/httpd/httpd-2.4.17.tar.bz2.md5
dev/httpd/httpd-2.4.17.tar.bz2.sha1
dev/httpd/httpd-2.4.17.tar.gz (with props)
dev/httpd/httpd-2.4.17.tar.gz.asc (with props)
dev/httpd/httpd-2.4.17.tar.gz.md5
dev/httpd/httpd-2.4.17.tar.gz.sha1
Modified:
dev/httpd/Announcement2.4.html
dev/httpd/Announcement2.4.txt
Modified: dev/httpd/Announcement2.4.html
==============================================================================
--- dev/httpd/Announcement2.4.html (original)
+++ dev/httpd/Announcement2.4.html Fri Oct 9 17:38:56 2015
@@ -15,59 +15,32 @@
<img src="../../images/apache_sub.gif" alt="" />
<h1>
- Apache HTTP Server 2.4.16 Released
+ Apache HTTP Server 2.4.17 Released
</h1>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to <a href="http://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
- the release of version 2.4.16 of the Apache
+ the release of version 2.4.17 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of
innovation by the project, and is recommended over all previous releases. This
- release of Apache is principally a security, feature
- and bug fix release. NOTE: versions 2.4.13, 2.4.14 and 2.4.15 were not released.
+ release of Apache is principally a feature
+ and bug fix release.
</p>
-<ul>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183">CVE-2015-3183</a>
- core: Fix chunk header parsing defect.
- Remove apr_brigade_flatten(), buffering and duplicated code from
- the HTTP_IN filter, parse chunks in a single pass with zero copy.
- Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
- authorized characters.
-</li>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185">CVE-2015-3185</a>
- Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
- with new ap_some_authn_required and ap_force_authn hook.
-</li>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0253">CVE-2015-0253</a>
- core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
- with the INCLUDES filter active, introduced in 2.4.11. PR 57531.
-</li>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228">CVE-2015-0228</a>
- mod_lua: A maliciously crafted websockets PING after a script
- calls r:wsupgrade() can cause a child process crash.
-</li>
-</ul>
<p>
- Also in this release are some exciting new features including:
+ In this release are some exciting new features including:
</p>
<ul>
- <li>Better default recommended SSLCipherSuite and SSLProxyCipherSuite</ul>
- <li>mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
- response header to be used by the application</ul>
- <li>Event MPM improvements</ul>
- <li>Various mod_proxy_* improvements</ul>
- <li>mod_log_config: Add <code>"%{UNIT}T"</code> format to output request duration in
- seconds, milliseconds or microseconds depending on UNIT (<code>"s"</code>, <code>"ms"</code>,
- <code>"us"</code>)</ul>
+ <li>HTTP/2 support via mod_http2 module</ul>
+ <li>Support for <code>SO_REUSEPORT</code> in MPMs for significant scalability</ul>
</ul>
<p>
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
</p>
<p>
- Apache HTTP Server 2.4.16 is available for download from:
+ Apache HTTP Server 2.4.17 is available for download from:
</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi"
@@ -75,7 +48,7 @@
</dl>
<p>
Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.16 includes only
+ full list of changes. A condensed list, CHANGES_2.4.17 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
Modified: dev/httpd/Announcement2.4.txt
==============================================================================
--- dev/httpd/Announcement2.4.txt (original)
+++ dev/httpd/Announcement2.4.txt Fri Oct 9 17:38:56 2015
@@ -1,48 +1,22 @@
- Apache HTTP Server 2.4.16 Released
+ Apache HTTP Server 2.4.17 Released
The Apache Software Foundation and the Apache HTTP Server Project
- are pleased to announce the release of version 2.4.16 of the Apache
+ are pleased to announce the release of version 2.4.17 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- principally a security, feature and bug fix release. NOTE: versions
- 2.4.13, 2.4.14 and 2.4.15 were not released.
+ principally a feature and bug fix release.
- CVE-2015-3183 (cve.mitre.org)
- core: Fix chunk header parsing defect.
- Remove apr_brigade_flatten(), buffering and duplicated code from
- the HTTP_IN filter, parse chunks in a single pass with zero copy.
- Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
- authorized characters.
-
- CVE-2015-3185 (cve.mitre.org)
- Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
- with new ap_some_authn_required and ap_force_authn hook.
-
- CVE-2015-0253 (cve.mitre.org)
- core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
- with the INCLUDES filter active, introduced in 2.4.11. PR 57531.
-
- CVE-2015-0228 (cve.mitre.org)
- mod_lua: A maliciously crafted websockets PING after a script
- calls r:wsupgrade() can cause a child process crash.
-
- Also in this release are some exciting new features including:
-
- *) Better default recommended SSLCipherSuite and SSLProxyCipherSuite
- *) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
- response header to be used by the application
- *) Event MPM improvements
- *) Various mod_proxy_* improvements
- *) mod_log_config: Add "%{UNIT}T" format to output request duration in
- seconds, milliseconds or microseconds depending on UNIT ("s", "ms",
- "us")
+ In this release are some exciting new features including:
+
+ *) HTTP/2 support via mod_http2 module
+ *) Support for SO_REUSEPORT in MPMs for significant scalability
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- Apache HTTP Server 2.4.16 is available for download from:
+ Apache HTTP Server 2.4.17 is available for download from:
http://httpd.apache.org/download.cgi
@@ -53,7 +27,7 @@
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.16 includes only
+ full list of changes. A condensed list, CHANGES_2.4.17 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available: