You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2017/07/06 19:28:46 UTC
svn commit: r20352 [1/3] - /dev/httpd/
Author: wrowe
Date: Thu Jul 6 19:28:45 2017
New Revision: 20352
Log:
Share 2.2.34 candidate, draft Announce and update relevant CHANGES
Added:
dev/httpd/CHANGES_2.2.34
dev/httpd/httpd-2.2.34-win32-src.zip (with props)
dev/httpd/httpd-2.2.34-win32-src.zip.asc (with props)
dev/httpd/httpd-2.2.34-win32-src.zip.md5
dev/httpd/httpd-2.2.34-win32-src.zip.sha1
dev/httpd/httpd-2.2.34-win32-src.zip.sha256
dev/httpd/httpd-2.2.34.tar.bz2 (with props)
dev/httpd/httpd-2.2.34.tar.bz2.asc (with props)
dev/httpd/httpd-2.2.34.tar.bz2.md5
dev/httpd/httpd-2.2.34.tar.bz2.sha1
dev/httpd/httpd-2.2.34.tar.bz2.sha256
dev/httpd/httpd-2.2.34.tar.gz (with props)
dev/httpd/httpd-2.2.34.tar.gz.asc (with props)
dev/httpd/httpd-2.2.34.tar.gz.md5
dev/httpd/httpd-2.2.34.tar.gz.sha1
dev/httpd/httpd-2.2.34.tar.gz.sha256
Removed:
dev/httpd/CHANGES_2.2.33
dev/httpd/httpd-2.2.33-win32-src.zip
dev/httpd/httpd-2.2.33-win32-src.zip.asc
dev/httpd/httpd-2.2.33-win32-src.zip.md5
dev/httpd/httpd-2.2.33-win32-src.zip.sha1
dev/httpd/httpd-2.2.33-win32-src.zip.sha256
dev/httpd/httpd-2.2.33.tar.bz2
dev/httpd/httpd-2.2.33.tar.bz2.asc
dev/httpd/httpd-2.2.33.tar.bz2.md5
dev/httpd/httpd-2.2.33.tar.bz2.sha1
dev/httpd/httpd-2.2.33.tar.bz2.sha256
dev/httpd/httpd-2.2.33.tar.gz
dev/httpd/httpd-2.2.33.tar.gz.asc
dev/httpd/httpd-2.2.33.tar.gz.md5
dev/httpd/httpd-2.2.33.tar.gz.sha1
dev/httpd/httpd-2.2.33.tar.gz.sha256
Modified:
dev/httpd/Announcement2.2.html
dev/httpd/Announcement2.2.txt
dev/httpd/CHANGES_2.2
Modified: dev/httpd/Announcement2.2.html
==============================================================================
--- dev/httpd/Announcement2.2.html (original)
+++ dev/httpd/Announcement2.2.html Thu Jul 6 19:28:45 2017
@@ -1,142 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<title>Apache HTTP Server Project</title>
-<style type="text/css">
- body {
- background: white;
- color: #111111;
- font-family: Arial, Helvetica, sans-serif;
- font-size: 18px;
- margin-left: auto;
- margin-right: auto;
- padding-left: 8px;
- padding-right: 8px;
- max-width: 45em;
- }
-
- a {
- color: blue;
- }
-
- a:visited {
- color: #000080;
- }
-
- a:active {
- color: red;
- }
-
- div.banner {
- background: rgb(48, 69, 88);
- margin-top: -28px;
- margin-bottom: 1.5em;
- height: 28px;
- }
-
- p, ul {
- line-height: 1.3em;
- }
-
- li {
- margin-bottom: 0.4em;
- }
-</style>
-</head>
-
-<body>
-<img src="httpd_logo_wide_new.png" alt="" />
-<div class="banner"></div>
-
-<h1>
- Apache HTTP Server 2.2.32 Released
-</h1>
-<p>
- January 13, 2017
-</p>
-<p>
- The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 2.2.32 of the Apache HTTP
- Server ("Apache"). This version of Apache is principally a security
- and bug fix maintenance release, and addresses these specific security
- defects as well as other fixes;
-</p>
-<ul>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743">CVE-2016-8743</a>
- Enforce HTTP request grammar corresponding to RFC7230 for request
- lines and request headers, to prevent response splitting and cache
- pollution by malicious clients or downstream proxies.
-</li>
-</ul>
-<p>
- We consider the Apache HTTP Server 2.4 release to be the best version
- of Apache available, and encourage users of 2.2 and all prior versions
- to upgrade. This 2.2 maintenance release is offered for those unable
- to upgrade at this time.
-</p>
-<p>
- Please note that Apache Web Server Project will only provide maintenance
- releases of the 2.2.x flavor through June of 2017, and will provide some
- security patches beyond this date through at least December of 2017.
- Minimal maintenance patches of 2.2.x are expected throughout this period,
- and users are strongly encouraged to promptly complete their transitions
- to the the 2.4.x flavor of httpd to benefit from a much larger assortment
- of minor security and bug fixes as well as new features.
-</p>
-<p>
- For further details, see:
-</p>
-<dl>
- <dd><a href="http://www.apache.org/dist/httpd/Announcement2.4.html"
- >http://www.apache.org/dist/httpd/Announcement2.4.html</a></dd>
-</dl>
-<p>
- Apache HTTP Server 2.4 and 2.2.32 are available for download from:
-</p>
-<dl>
- <dd><a href="http://httpd.apache.org/download.cgi"
- >http://httpd.apache.org/download.cgi</a></dd>
-</dl>
-<p>
- Please see the CHANGES_2.2 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.2.32 includes only
- those changes introduced since the prior 2.2 release. A summary of all
- of the security vulnerabilities addressed in this and earlier releases
- is available:
-</p>
-<dl>
- <dd><a href="http://httpd.apache.org/security/vulnerabilities_22.html"
- >http://httpd.apache.org/security/vulnerabilities_22.html</a>
- </dd>
-</dl>
-<p>
- This release includes the Apache Portable Runtime (APR) version 1.5.2
- and APR Utility Library (APR-util) version 1.5.4, bundled with the tar
- and zip distributions. The APR libraries libapr and libaprutil (and
- on Win32, libapriconv version 1.2.1) must all be updated to ensure
- binary compatibility and address many known security and platform bugs.
- APR version 1.5 and APR-util version 1.5 represent minor version upgrades
- from earlier httpd 2.2 source distributions.
-</p>
-<p>
- Note this package also includes very stale and known-vulnerable versions
- of the Expat [<a href="http://expat.sourceforge.net/"
- >http://expat.sourceforge.net/</a>] and PCRE [<a
- href="http://www.pcre.org/">http://www.pcre.org/</a>]
- packages. Users are strongly encouraged to first install the most recent
- versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.)
-</p>
-<p>
- This release builds on and extends the Apache 2.0 API and is superceeded
- by the Apache 2.4 API. Modules written for Apache 2.0 or 2.4 will need
- to be recompiled in order to run with Apache 2.2, and most will require
- minimal or no source code changes.
-</p>
-<p>
- When upgrading or installing this version of Apache, please bear in mind
- that if you intend to use Apache with one of the threaded MPMs (other
- than the Prefork MPM), you must ensure that any modules you will be
- using (and the libraries they depend on) are thread-safe.
-</p>
-</body>
-</html>
Modified: dev/httpd/Announcement2.2.txt
==============================================================================
--- dev/httpd/Announcement2.2.txt (original)
+++ dev/httpd/Announcement2.2.txt Thu Jul 6 19:28:45 2017
@@ -1,47 +1,69 @@
- Apache HTTP Server 2.2.32 Released
+ Apache HTTP Server 2.2.34 Released
- January 13, 2017
+ July 10, 2017
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 2.2.32 of the Apache HTTP
+ pleased to announce the release of version 2.2.34 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix maintenance release, and addresses these specific security
defects as well as other fixes;
- CVE-2016-8743 (cve.mitre.org)
- Enforce HTTP request grammar corresponding to RFC7230 for request
- lines and request headers, to prevent response splitting and cache
- pollution by malicious clients or downstream proxies.
-
- We consider the Apache HTTP Server 2.4 release to be the best version
- of Apache available, and encourage users of 2.2 and all prior versions
- to upgrade. This 2.2 maintenance release is offered for those unable
- to upgrade at this time.
-
- Please note that Apache Web Server Project will only provide maintenance
- releases of the 2.2.x flavor through June of 2017, and will provide some
- security patches beyond this date through at least December of 2017.
- Minimal maintenance patches of 2.2.x are expected throughout this period,
- and users are strongly encouraged to promptly complete their transitions
- to the the 2.4.x flavor of httpd to benefit from a much larger assortment
- of minor security and bug fixes as well as new features.
+ CVE-2017-7668 (cve.mitre.org)
+ The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+ bug in token list parsing, which allows ap_find_token() to search past
+ the end of its input string. By maliciously crafting a sequence of
+ request headers, an attacker may be able to cause a segmentation fault,
+ or to force ap_find_token() to return an incorrect value.
+
+ CVE-2017-3169 (cve.mitre.org)
+ mod_ssl may dereference a NULL pointer when third-party modules call
+ ap_hook_process_connection() during an HTTP request to an HTTPS port.
+
+ CVE-2017-3167 (cve.mitre.org)
+ Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+ authentication phase may lead to authentication requirements being
+ bypassed.
+
+ CVE-2017-7679 (cve.mitre.org)
+ Enforce HTTP request grammar corresponding to RFC7230 for request.
+ mod_mime can read one byte past the end of a buffer when sending a
+ malicious Content-Type response header.
+
+ We consider the current Apache HTTP Server 2.4 release to be the best
+ version of Apache available, and encourage every user of 2.2 and all
+ prior versions to upgrade. This 2.2 final release is offered for those
+ unable to upgrade at this moment.
+
+ Take note that Apache Web Server Project will provide no future release
+ of the 2.2.x series, although some security patches may be published
+ through December of 2017. These will be collected at the URL;
+
+ http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/
+
+ No further maintenance patches of 2.2.x will be published. Users are
+ strongly encouraged to promptly complete their transitions to the
+ 2.4.x flavor of httpd to receive any future benefit from the user
+ community or the Apache HTTP Server project developers.
- For further details, see:
+ For further details about the currently supported release, see:
http://www.apache.org/dist/httpd/Announcement2.4.txt
- Apache HTTP Server 2.4 and 2.2.32 are available for download from:
+ Apache HTTP Server 2.4 and 2.2.34 are available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.2.32 includes only
+ full list of changes. A condensed list, CHANGES_2.2.34 includes only
those changes introduced since the prior 2.2 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_22.html
+ Note that the Apache HTTP Server project will discontinue evaluations
+ and corresponding advisories to this resource effective January, 2018.
+
This release includes the Apache Portable Runtime (APR) version 1.5.2
and APR Utility Library (APR-util) version 1.5.4, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and