You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2006/07/28 05:56:07 UTC
svn commit: r426374 - in /httpd/httpd/dist: Announcement2.2.html
Announcement2.2.txt
Author: wrowe
Date: Thu Jul 27 20:56:07 2006
New Revision: 426374
URL: http://svn.apache.org/viewvc?rev=426374&view=rev
Log:
Nice catch Noodl, no 1.3.38 here - and a grammer fix plus reflow for tomorrow.
Modified:
httpd/httpd/dist/Announcement2.2.html
httpd/httpd/dist/Announcement2.2.txt
Modified: httpd/httpd/dist/Announcement2.2.html
URL: http://svn.apache.org/viewvc/httpd/httpd/dist/Announcement2.2.html?rev=426374&r1=426373&r2=426374&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.2.html (original)
+++ httpd/httpd/dist/Announcement2.2.html Thu Jul 27 20:56:07 2006
@@ -26,19 +26,19 @@
<p>This version of Apache is principally a bug and security fix release.
The following potential security flaws are addressed;</p>
-<p><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747">CVE-2006-3747:</a>
+<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747"
+ >CVE-2006-3747:</a>
An off-by-one flaw exists in the Rewrite module, mod_rewrite,
as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
</p>
-<p>Depending on the manner in which Apache HTTP Server was compiled, this software
-defect may result in a vulnerability which, in combination with certain types of
-Rewrite rules in the web server configuration files, could be triggered
-remotely. For vulnerable builds, the nature of the vulnerability can be denial
-of service (crashing of web server processes) or potentially allow arbitrary
-code execution. This issue has been rated as having important security impact
-by the Apache HTTP Server Security Team.</p>
+<p>Depending on the manner in which Apache HTTP Server was compiled, this
+software defect may result in a vulnerability which, in combination with
+certain types of Rewrite rules in the web server configuration files, could
+be triggered remotely. For vulnerable builds, the nature of the vulnerability
+can be denial of service (crashing of web server processes) or potentially
+allow arbitrary code execution. This issue has been rated as having important
+security impact by the Apache HTTP Server Security Team.</p>
<p>This flaw does not affect a default installation of Apache HTTP Server.
Users who do not use, or have not enabled, the Rewrite module mod_rewrite are
@@ -70,7 +70,8 @@
<dl>
<dd>
<a
-href="http://www.kb.cert.org/vuls/id/395412">http://www.kb.cert.org/vuls/id/395412</a>
+href="http://www.kb.cert.org/vuls/id/395412"
+ >http://www.kb.cert.org/vuls/id/395412</a>
</dd></dl>
<p>The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the
@@ -83,7 +84,8 @@
<p>Apache HTTP Server 2.2.3 is available for download from:</p>
<dl>
- <dd><a href="http://httpd.apache.org/download.cgi">http://httpd.apache.org/download.cgi</a></dd>
+ <dd><a href="http://httpd.apache.org/download.cgi"
+ >http://httpd.apache.org/download.cgi</a></dd>
</dl>
<p>
@@ -103,30 +105,28 @@
</p>
<p>
-Apache HTTP Server 1.3.38 and 2.0.59 legacy releases are also available
+Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available
with this security fix. See the appropriate CHANGES from the url above.
-The Apache HTTP Project developers strongly encourages all users to
+The Apache HTTP Project developers strongly encourage all users to
migrate to Apache 2.2, as only limited maintenance is performed on these
legacy versions.
</p>
-<p>
-This release includes the <a href="http://apr.apache.org/">Apache Portable Runtime</a>
- (APR) version 1.2.7
+<p>This release includes the <a href="http://apr.apache.org/"
+>Apache Portable Runtime</a> (APR) version 1.2.7
bundled with the tar and zip distributions. The APR libraries libapr,
libaprutil, and (on Win32) libapriconv must all be updated to ensure
binary compatibility and address many known platform bugs.
</p>
-<p>
-This release
-builds on and extends the Apache 2.0 API. Modules written for Apache 2.0
-will need to be recompiled in order to run with Apache 2.2, but no
-substantial reworking should be necessary.
+<p>This release builds on and extends the Apache 2.0 API. Modules written
+for Apache 2.0 will need to be recompiled in order to run with Apache 2.2,
+but no substantial reworking should be necessary.
</p>
<dl>
- <dd><a href="http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING">
-http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING</a></dd>
+ <dd><a
+href="http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING"
+> http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING</a></dd>
</dl>
<p>
Modified: httpd/httpd/dist/Announcement2.2.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/dist/Announcement2.2.txt?rev=426374&r1=426373&r2=426374&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.2.txt (original)
+++ httpd/httpd/dist/Announcement2.2.txt Thu Jul 27 20:56:07 2006
@@ -47,7 +47,7 @@
provider of their web server. Statements from vendors can be obtained from
the US-CERT vulnerability note for this issue at:
- http://www.kb.cert.org/vuls/id/395412
+ http://www.kb.cert.org/vuls/id/395412
The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for
the responsible reporting of this vulnerability.
@@ -57,20 +57,20 @@
Apache HTTP Server 2.2.3 is available for download from:
- http://httpd.apache.org/download.cgi
+ http://httpd.apache.org/download.cgi
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features introduced
since 2.0 please see:
- http://httpd.apache.org/docs/2.2/new_features_2_2.html
+ http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for a full
list of changes.
- Apache HTTP Server 1.3.38 and 2.0.59 legacy releases are also available
+ Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available
with this security fix. See the appropriate CHANGES from the url above.
- The Apache HTTP Project developers strongly encourages all users to
+ The Apache HTTP Project developers strongly encourage all users to
migrate to Apache 2.2, as only limited maintenance is performed on these
legacy versions.
@@ -83,7 +83,7 @@
Apache 2.0 will need to be recompiled in order to run with Apache 2.2, but
no substantial reworking should be necessary.
- http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
+ http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs, you must