You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2007/08/07 20:31:13 UTC
svn commit: r563606 - in /httpd/site/trunk/dist: Announcement1.3.html
Announcement1.3.txt Announcement2.0.html Announcement2.0.txt
Announcement2.2.html Announcement2.2.txt README.html
Author: jim
Date: Tue Aug 7 11:31:12 2007
New Revision: 563606
URL: http://svn.apache.org/viewvc?view=rev&rev=563606
Log:
Pre-edit the announcements for the release.
DO NOT UPDATE THE LIVE SITE!
Modified:
httpd/site/trunk/dist/Announcement1.3.html
httpd/site/trunk/dist/Announcement1.3.txt
httpd/site/trunk/dist/Announcement2.0.html
httpd/site/trunk/dist/Announcement2.0.txt
httpd/site/trunk/dist/Announcement2.2.html
httpd/site/trunk/dist/Announcement2.2.txt
httpd/site/trunk/dist/README.html
Modified: httpd/site/trunk/dist/Announcement1.3.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement1.3.html?view=diff&rev=563606&r1=563605&r2=563606
==============================================================================
--- httpd/site/trunk/dist/Announcement1.3.html (original)
+++ httpd/site/trunk/dist/Announcement1.3.html Tue Aug 7 11:31:12 2007
@@ -15,86 +15,56 @@
<IMG SRC="../../images/apache_sub.gif" ALT="">
-<h1>Apache HTTP Server 1.3.37 Released</h1>
+<h1>Apache HTTP Server 1.3.38 Released</h1>
<p>The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 1.3.37 of the Apache HTTP
+ pleased to announce the release of version 1.3.38 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant change
- in 1.3.37 as compared to 1.3.36.</p>
+ in 1.3.38 as compared to 1.3.37.</p>
<p>This version of Apache is security fix release only.</p>
-<p><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747">CVE-2006-3747:</a>
-An off-by-one flaw exists in the Rewrite module, mod_rewrite,
-as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
-</p>
-
-<p>Depending on the manner in which Apache HTTP Server was compiled, this software
-defect may result in a vulnerability which, in combination with certain types of
-Rewrite rules in the web server configuration files, could be triggered
-remotely. For vulnerable builds, the nature of the vulnerability can be denial
-of service (crashing of web server processes) or potentially allow arbitrary
-code execution. This issue has been rated as having important security impact
-by the Apache HTTP Server Security Team.</p>
-
-<p>This flaw does not affect a default installation of Apache HTTP Server.
-Users who do not use, or have not enabled, the Rewrite module mod_rewrite are
-not affected by this issue. This issue only affects installations using a
-Rewrite rule with the following characteristics:</p>
-
-<ul><li>The RewriteRule allows the attacker to control the initial part of
- the rewritten URL (for example if the substitution URL starts with $1)</li>
-<li>The RewriteRule flags do NOT include any of the following flags:
- Forbidden (F), Gone (G), or NoEscape (NE).</li></ul>
-
-<p>Please note that ability to exploit this issue is dependent on the
-stack layout for a particular compiled version of mod_rewrite. If the
-compiler used to compile Apache HTTP Server has added padding to the
-stack immediately after the buffer being overwritten, it will not be
-possible to exploit this issue, and Apache HTTP Server will continue
-operating normally.</p>
-
-<p>The Apache HTTP Server project recommends that all users who have
-built Apache from source apply the patch or upgrade to the latest
-level and rebuild. Providers of Apache-based web servers in
-pre-compiled form will be able to determine if this vulnerability
-applies to their builds. That determination has no bearing on any
-other builds of Apache HTTP Server, and Apache HTTP Server users are
-urged to exercise caution and apply patches or upgrade unless they
-have specific instructions from the provider of their web server.
-Statements from vendors can be obtained from the US-CERT vulnerability
-note for this issue at:
-<dl>
-<dd>
-<a
-href="http://www.kb.cert.org/vuls/id/395412">http://www.kb.cert.org/vuls/id/395412</a>
-</dd></dl>
+<ul>
+<li><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752">CVE-2006-5752:</a>
+mod_status: Fix a possible XSS attack against a site with a public
+server-status page and ExtendedStatus enabled, for browsers which
+perform charset "detection".
+</li>
+
+<li><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304">CVE-2007-3304:</a>
+Ensure that the parent process cannot be forced to kill non-child
+processes by checking scoreboard PID data with parent process
+privately stored PID data.
+</li>
-<p>The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the
-responsible reporting of this vulnerability.</p>
+</ul>
+<p>Please note that ability to exploit this issue is dependent on running
+untrusted 3rd party modules or untrusted server-side code.</p>
-<!--<p>Please see the CHANGES_1.3 file in this same directory for a full list
- of changes.</p>-->
-
-<p>Apache 1.3.37 is the current stable release of the Apache 1.3 family.
+<p>Apache 1.3.38 is the current stable release of the Apache 1.3 family.
We strongly recommend that users of all earlier versions, including
1.3 family release, upgrade to to the current 2.2 version as soon
as possible.</p>
-<p>We recommend Apache 1.3.37 version for users who require a third party
+<p>We recommend Apache 1.3.38 version for users who require a third party
module that is not yet available as an Apache 2.x module. Modules
compiled for Apache 2.x are not compatible with Apache 1.3, and modules
compiled for Apache 1.3 are not compatible with Apache 2.x.</p>
-<p>Apache 1.3.37 is available for download from</p>
+<p>Apache 1.3.38 is available for download from</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi"
>http://httpd.apache.org/download.cgi</a></dd>
</dl>
+<p>Please see the CHANGES_1.3 file, linked from the above page, for
+ a full list of changes. A condensed list, CHANGES_1.3.38 provides
+ the complete list of changes since 1.3.37.</p>
+
<p>This service utilizes the network of mirrors listed at:</p>
<dl>
<dd><a href="http://www.apache.org/mirrors/"
@@ -128,18 +98,22 @@
of the servers on the Internet run Apache HTTP Server, or one of its
variants.</p>
-<h2>Apache 1.3.37 Major changes</h2>
+<h2>Apache 1.3.38 Major changes</h2>
<h3>Security vulnerabilities</h3>
<p>
- The main security vulnerabilities addressed in 1.3.37 are:
+ The main security vulnerabilities addressed in 1.3.38 are:
</p>
<dl>
-<dt>SECURITY: CVE-2006-3747 (cve.mitre.org)</dt>
-<dd>mod_rewrite: Fix an off-by-one security problem in the ldap scheme
-handling. For some RewriteRules this could lead to a pointer being
-written out of bounds. Reported by Mark Dowd of McAfee Avert Labs.</dd>
+<dt>CVE-2006-5752 (cve.mitre.org)</dt>
+<dd>mod_status: Fix a possible XSS attack against a site with a public
+server-status page and ExtendedStatus enabled, for browsers which
+perform charset "detection". Reported by Stefan Esser.</dd>
+<dt>CVE-2007-3304 (cve.mitre.org)</dt>
+<dd>Ensure that the parent process cannot be forced to kill non-child
+processes by checking scoreboard PID data with parent process
+privately stored PID data.</dd>
</dl>
<!--
<h3>New features</h3>
Modified: httpd/site/trunk/dist/Announcement1.3.txt
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement1.3.txt?view=diff&rev=563606&r1=563605&r2=563606
==============================================================================
--- httpd/site/trunk/dist/Announcement1.3.txt (original)
+++ httpd/site/trunk/dist/Announcement1.3.txt Tue Aug 7 11:31:12 2007
@@ -1,67 +1,36 @@
- Apache HTTP Server 1.3.37 Released
+ Apache HTTP Server 1.3.38 Released
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the release of version 1.3.37 of the Apache HTTP
+ pleased to announce the release of version 1.3.38 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant change in
- 1.3.37 as compared to 1.3.36.
+ 1.3.38 as compared to 1.3.37.
- This version of Apache is security fix release only.
+ This version of Apache is security fix release only:
- CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
- mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
- and 2.2 since 2.2.0.
-
- Depending on the manner in which Apache HTTP Server was compiled, this
- software defect may result in a vulnerability which, in combination with
- certain types of Rewrite rules in the web server configuration files,
- could be triggered remotely. For vulnerable builds, the nature of the
- vulnerability can be denial of service (crashing of web server processes)
- or potentially allow arbitrary code execution. This issue has been rated
- as having important security impact by the Apache HTTP Server Security
- Team.
-
- This flaw does not affect a default installation of Apache HTTP Server.
- Users who do not use, or have not enabled, the Rewrite module mod_rewrite
- are not affected by this issue. This issue only affects installations
- using a Rewrite rule with the following characteristics:
-
- * The RewriteRule allows the attacker to control the initial part of the
- rewritten URL (for example if the substitution URL starts with $1)
- * The RewriteRule flags do NOT include any of the following flags:
- Forbidden (F), Gone (G), or NoEscape (NE).
-
- Please note that ability to exploit this issue is dependent on the stack
- layout for a particular compiled version of mod_rewrite. If the compiler
- used to compile Apache HTTP Server has added padding to the stack
- immediately after the buffer being overwritten, it will not be possible to
- exploit this issue, and Apache HTTP Server will continue operating
- normally.
-
- The Apache HTTP Server project recommends that all users who have built
- Apache from source apply the patch or upgrade to the latest level and
- rebuild. Providers of Apache-based web servers in pre-compiled form will
- be able to determine if this vulnerability applies to their builds. That
- determination has no bearing on any other builds of Apache HTTP Server,
- and Apache HTTP Server users are urged to exercise caution and apply
- patches or upgrade unless they have specific instructions from the
- provider of their web server. Statements from vendors can be obtained from
- the US-CERT vulnerability note for this issue at:
+ * CVE-2006-5752 (cve.mitre.org)
+ A possible XSS attack exist against a site with a public
+ server-status page and ExtendedStatus enabled, for browsers which
+ perform charset "detection". Reported by Stefan Esser.
- http://www.kb.cert.org/vuls/id/395412
+ * CVE-2007-3304 (cve.mitre.org)
+ The Apache parent process can be tricked into sending signals
+ to non-Apache child processes. Please note that ability
+ to exploit this issue is dependent on running untrusted 3rd party
+ modules or untrusted server-side code.
- The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for
- the responsible reporting of this vulnerability.
+ Please see the CHANGES_1.3.38 file in this directory for a full list
+ of changes for this version.
- Apache 1.3.37 is the current stable release of the Apache 1.3 family. We
+ Apache 1.3.38 is the current stable release of the Apache 1.3 family. We
strongly recommend that users of all earlier versions, including 1.3
family release, upgrade to to the current 2.2 version as soon as possible.
- We recommend Apache 1.3.37 version for users who require a third party
+ We recommend Apache 1.3.38 version for users who require a third party
module that is not yet available as an Apache 2.x module. Modules compiled
for Apache 2.x are not compatible with Apache 1.3, and modules compiled
for Apache 1.3 are not compatible with Apache 2.x.
- Apache 1.3.37 is available for download from
+ Apache 1.3.38 is available for download from
http://httpd.apache.org/download.cgi
@@ -93,14 +62,19 @@
the servers on the Internet run Apache HTTP Server, or one of its
variants.
-Apache 1.3.37 Major changes
+Apache 1.3.38 Major changes
Security vulnerabilities
- The main security vulnerabilities addressed in 1.3.37 are:
+ The main security vulnerabilities addressed in 1.3.38 are:
- SECURITY: CVE-2006-3747 (cve.mitre.org)
- mod_rewrite: Fix an off-by-one security problem in the ldap scheme
- handling. For some RewriteRules this could lead to a pointer being
- written out of bounds. Reported by Mark Dowd of McAfee Avert Labs.
+ CVE-2006-5752 (cve.mitre.org)
+ mod_status: Fix a possible XSS attack against a site with a public
+ server-status page and ExtendedStatus enabled, for browsers which
+ perform charset "detection". Reported by Stefan Esser.
+
+ CVE-2007-3304 (cve.mitre.org)
+ Ensure that the parent process cannot be forced to kill non-child
+ processes by checking scoreboard PID data with parent process
+ privately stored PID data.
Modified: httpd/site/trunk/dist/Announcement2.0.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.0.html?view=diff&rev=563606&r1=563605&r2=563606
==============================================================================
--- httpd/site/trunk/dist/Announcement2.0.html (original)
+++ httpd/site/trunk/dist/Announcement2.0.html Tue Aug 7 11:31:12 2007
@@ -14,12 +14,12 @@
>
<img src="../../images/apache_sub.gif" alt="">
-<h1>Apache HTTP Server 2.0.59 Released</h1>
+<h1>Apache HTTP Server 2.0.60 Released</h1>
<p>The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the legacy release of version 2.0.59 of the Apache HTTP
+ pleased to announce the legacy release of version 2.0.60 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes in
- 2.0.59 as compared to 2.0.58. This Announcement2.0 document may also be
+ 2.0.60 as compared to 2.0.59. This Announcement2.0 document may also be
available in multiple languages at:</p>
<dl>
@@ -28,57 +28,35 @@
</dl>
<p>This version of Apache is principally a bug and security fix release.
- The following potential security flaws are addressed;</p>
-
-<p><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747">CVE-2006-3747:</a>
-An off-by-one flaw exists in the Rewrite module, mod_rewrite,
-as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
+ The following potential security flaws are addressed:
</p>
-<p>Depending on the manner in which Apache HTTP Server was compiled, this software
-defect may result in a vulnerability which, in combination with certain types of
-Rewrite rules in the web server configuration files, could be triggered
-remotely. For vulnerable builds, the nature of the vulnerability can be denial
-of service (crashing of web server processes) or potentially allow arbitrary
-code execution. This issue has been rated as having important security impact
-by the Apache HTTP Server Security Team.</p>
-
-<p>This flaw does not affect a default installation of Apache HTTP Server.
-Users who do not use, or have not enabled, the Rewrite module mod_rewrite are
-not affected by this issue. This issue only affects installations using a
-Rewrite rule with the following characteristics:</p>
-
-<ul><li>The RewriteRule allows the attacker to control the initial part of
- the rewritten URL (for example if the substitution URL starts with $1)</li>
-<li>The RewriteRule flags do NOT include any of the following flags:
- Forbidden (F), Gone (G), or NoEscape (NE).</li></ul>
-
-<p>Please note that ability to exploit this issue is dependent on the
-stack layout for a particular compiled version of mod_rewrite. If the
-compiler used to compile Apache HTTP Server has added padding to the
-stack immediately after the buffer being overwritten, it will not be
-possible to exploit this issue, and Apache HTTP Server will continue
-operating normally.</p>
-
-<p>The Apache HTTP Server project recommends that all users who have
-built Apache from source apply the patch or upgrade to the latest
-level and rebuild. Providers of Apache-based web servers in
-pre-compiled form will be able to determine if this vulnerability
-applies to their builds. That determination has no bearing on any
-other builds of Apache HTTP Server, and Apache HTTP Server users are
-urged to exercise caution and apply patches or upgrade unless they
-have specific instructions from the provider of their web server.
-Statements from vendors can be obtained from the US-CERT vulnerability
-note for this issue at:
-<dl>
-<dd>
-<a
-href="http://www.kb.cert.org/vuls/id/395412">http://www.kb.cert.org/vuls/id/395412</a>
-</dd></dl>
-
-<p>The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the
-responsible reporting of this vulnerability.</p>
+<ul>
+<li><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847">CVE-2007-3847:</a>
+ mod_proxy: Prevent reading past the end of a buffer when parsing
+ date-related headers. PR 41144.
+</li>
+
+<li><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863">CVE-2007-1863:</a>
+ mod_cache: Prevent segmentation fault if a Cache-Control header has
+ no value.
+</li>
+
+<li><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752">CVE-2006-5752:</a>
+ mod_status: Fix a possible XSS attack against a site with a public
+ server-status page and ExtendedStatus enabled, for browsers which
+ perform charset "detection". Reported by Stefan Esser.
+</li>
+
+<li><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304">CVE-2007-3304:</a>
+ prefork, worker MPMs: Ensure that the parent process cannot
+ be forced to kill processes outside its process group.
+</li>
+</ul>
<p>This release is compatible with modules compiled for 2.0.42 and
later versions. We consider this release to be the best version
@@ -86,20 +64,20 @@
upgrade.</p>
<p>This release includes the Apache Portable Runtime library suite
- release version 0.9.12, bundled with the tar and zip distributions.
+ release version 0.9.14, bundled with the tar and zip distributions.
These libraries; libapr, libaprutil, and on Win32, libapriconv must
all be updated to ensure binary compatibility and address many
known platform bugs.</p>
-<p>Apache HTTP Server 2.0.59 is available for download from</p>
+<p>Apache HTTP Server 2.0.60 is available for download from</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi"
>http://httpd.apache.org/download.cgi</a></dd>
</dl>
<p>Please see the CHANGES_2.0 file, linked from the above page, for
- a full list of changes. A condensed list, CHANGES_2.0.59 provides
- the complete list of changes since 2.0.58.</p>
+ a full list of changes. A condensed list, CHANGES_2.0.60 provides
+ the complete list of changes since 2.0.59.</p>
<p>Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
@@ -125,7 +103,7 @@
</dl>
<p>We consider Apache 2.2 to be the best available version at the time of
- this release. We offer Apache 2.0.59 as the best legacy version of Apache
+ this release. We offer Apache 2.0.60 as the best legacy version of Apache
2.0 available. Users should first consider upgrading to the current release
of Apache 2.2 instead.</p>
Modified: httpd/site/trunk/dist/Announcement2.0.txt
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.0.txt?view=diff&rev=563606&r1=563605&r2=563606
==============================================================================
--- httpd/site/trunk/dist/Announcement2.0.txt (original)
+++ httpd/site/trunk/dist/Announcement2.0.txt Tue Aug 7 11:31:12 2007
@@ -1,78 +1,53 @@
- Apache HTTP Server 2.0.59 Released
+ Apache HTTP Server 2.0.60 Released
The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the legacy release of version 2.0.59 of the Apache
+ pleased to announce the legacy release of version 2.0.60 of the Apache
HTTP Server ("Apache"). This Announcement notes the significant changes in
- 2.0.59 as compared to 2.0.58. This Announcement2.0 document may also be
+ 2.0.60 as compared to 2.0.59. This Announcement2.0 document may also be
available in multiple languages at:
http://www.apache.org/dist/httpd/
This version of Apache is principally a bug and security fix release. The
- following potential security flaws are addressed;
+ following potential security flaws are addressed:
- CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
- mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
- and 2.2 since 2.2.0.
-
- Depending on the manner in which Apache HTTP Server was compiled, this
- software defect may result in a vulnerability which, in combination with
- certain types of Rewrite rules in the web server configuration files,
- could be triggered remotely. For vulnerable builds, the nature of the
- vulnerability can be denial of service (crashing of web server processes)
- or potentially allow arbitrary code execution. This issue has been rated
- as having important security impact by the Apache HTTP Server Security
- Team.
-
- This flaw does not affect a default installation of Apache HTTP Server.
- Users who do not use, or have not enabled, the Rewrite module mod_rewrite
- are not affected by this issue. This issue only affects installations
- using a Rewrite rule with the following characteristics:
-
- * The RewriteRule allows the attacker to control the initial part of the
- rewritten URL (for example if the substitution URL starts with $1)
- * The RewriteRule flags do NOT include any of the following flags:
- Forbidden (F), Gone (G), or NoEscape (NE).
-
- Please note that ability to exploit this issue is dependent on the stack
- layout for a particular compiled version of mod_rewrite. If the compiler
- used to compile Apache HTTP Server has added padding to the stack
- immediately after the buffer being overwritten, it will not be possible to
- exploit this issue, and Apache HTTP Server will continue operating
- normally.
-
- The Apache HTTP Server project recommends that all users who have built
- Apache from source apply the patch or upgrade to the latest level and
- rebuild. Providers of Apache-based web servers in pre-compiled form will
- be able to determine if this vulnerability applies to their builds. That
- determination has no bearing on any other builds of Apache HTTP Server,
- and Apache HTTP Server users are urged to exercise caution and apply
- patches or upgrade unless they have specific instructions from the
- provider of their web server. Statements from vendors can be obtained from
- the US-CERT vulnerability note for this issue at:
+ * CVE-2007-3847 (cve.mitre.org)
+ mod_proxy: Prevent reading past the end of a buffer when parsing
+ date-related headers. PR 41144.
+
+ * CVE-2007-1863 (cve.mitre.org)
+ mod_cache: Prevent segmentation fault if a Cache-Control header has
+ no value.
+
+ * CVE-2006-5752 (cve.mitre.org)
+ mod_status: Fix a possible XSS attack against a site with a public
+ server-status page and ExtendedStatus enabled, for browsers which
+ perform charset "detection". Reported by Stefan Esser.
+
+ * CVE-2007-3304 (cve.mitre.org)
+ prefork, worker MPMs: Ensure that the parent process cannot
+ be forced to kill processes outside its process group.
- http://www.kb.cert.org/vuls/id/395412
-
- The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for
- the responsible reporting of this vulnerability.
+ Please see the CHANGES_2.0.60 file in this directory for a full list
+ of changes for this version.
This release is compatible with modules compiled for 2.0.42 and later
versions. We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.
This release includes the Apache Portable Runtime library suite release
- version 0.9.12, bundled with the tar and zip distributions. These
+ version 0.9.14, bundled with the tar and zip distributions. These
libraries; libapr, libaprutil, and on Win32, libapriconv must all be
updated to ensure binary compatibility and address many known platform
bugs.
- Apache HTTP Server 2.0.59 is available for download from
+ Apache HTTP Server 2.0.60 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for a full
- list of changes. A condensed list, CHANGES_2.0.59 provides the complete
- list of changes since 2.0.58.
+ list of changes. A condensed list, CHANGES_2.0.60 provides the complete
+ list of changes since 2.0.59.
Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
@@ -93,7 +68,7 @@
http://httpd.apache.org/docs/2.2/new_features_2_2.html
We consider Apache 2.2 to be the best available version at the time of
- this release. We offer Apache 2.0.59 as the best legacy version of Apache
+ this release. We offer Apache 2.0.60 as the best legacy version of Apache
2.0 available. Users should first consider upgrading to the current
release of Apache 2.2 instead.
Modified: httpd/site/trunk/dist/Announcement2.2.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.2.html?view=diff&rev=563606&r1=563605&r2=563606
==============================================================================
--- httpd/site/trunk/dist/Announcement2.2.html (original)
+++ httpd/site/trunk/dist/Announcement2.2.html Tue Aug 7 11:31:12 2007
@@ -14,20 +14,54 @@
>
<img src="../../images/apache_sub.gif" alt="">
-<h1>Apache HTTP Server 2.2.4 Released</h1>
+<h1>Apache HTTP Server 2.2.5 Released</h1>
-<p>
-The Apache Software Foundation and the Apache HTTP Server Project are
-pleased to announce the release of version 2.2.4 of the Apache HTTP Server
-("Apache"). This version of Apache is principally a bugfix release.
+<p>The Apache Software Foundation and the Apache HTTP Server Project are
+pleased to announce the release of version 2.2.5 of the Apache HTTP Server
+("Apache").</p>
+
+<p>This version of Apache is principally a bug and security fix release.
+ The following potential security flaws are addressed:
</p>
+<ul>
+<li><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847">CVE-2007-3847:</a>
+ mod_proxy: Prevent reading past the end of a buffer when parsing
+ date-related headers. PR 41144.
+</li>
+
+<li><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863">CVE-2007-1863:</a>
+ mod_cache: Prevent a segmentation fault if attributes are listed in a
+ Cache-Control header without any value.
+</li>
+
+<li><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304">CVE-2007-3304:</a>
+ prefork, worker, event MPMs: Ensure that the parent process cannot
+ be forced to kill processes outside its process group.
+</li>
+<li><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752">CVE-2006-5752:</a>
+ mod_status: Fix a possible XSS attack against a site with a public
+ server-status page and ExtendedStatus enabled, for browsers which
+ perform charset "detection". Reported by Stefan Esser.
+</li>
+
+<li><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1862">CVE-2006-1862:</a>
+ mod_mem_cache: Copy headers into longer lived storage; header names and
+ values could previously point to cleaned up storage. PR 41551.
+</li>
+</ul>
+
<p>
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
</p>
-<p>Apache HTTP Server 2.2.4 is available for download from:</p>
+<p>Apache HTTP Server 2.2.5 is available for download from:</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi"
>http://httpd.apache.org/download.cgi</a></dd>
@@ -46,8 +80,9 @@
<p>
Please see the CHANGES_2.2 file, linked from the download page, for a
-full list of changes. A summary of security vulnerabilities which were
-addressed in the previous 2.2.3 and earlier releases is available:
+full list of changes. A condensed list, CHANGES_2.2.5 provides the
+complete list of changes since 2.2.4. A summary of security vulnerabilities
+which were addressed in the previous 2.2.4 and earlier releases is available:
<dl>
<dd><a href="http://httpd.apache.org/security/vulnerabilities_22.html"
>http://httpd.apache.org/security/vulnerabilities_22.html</a>
@@ -55,7 +90,7 @@
</p>
<p>
-Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also currently
+Apache HTTP Server 1.3.38 and 2.0.60 legacy releases are also currently
available. See the corresponding CHANGES files linked from the download page.
The Apache HTTP Project developers strongly encourage all users to migrate
to Apache 2.2, as only limited maintenance is performed for these legacy
@@ -64,7 +99,7 @@
<p>
This release includes the <a href="http://apr.apache.org/"
->Apache Portable Runtime</a> (APR) version 1.2.8
+>Apache Portable Runtime</a> (APR) version 1.2.9
bundled with the tar and zip distributions. The APR libraries libapr and
libaprutil (and on Win32, libapriconv) must all be updated to ensure
binary compatibility and address many known platform bugs.
Modified: httpd/site/trunk/dist/Announcement2.2.txt
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.2.txt?view=diff&rev=563606&r1=563605&r2=563606
==============================================================================
--- httpd/site/trunk/dist/Announcement2.2.txt (original)
+++ httpd/site/trunk/dist/Announcement2.2.txt Tue Aug 7 11:31:12 2007
@@ -2,12 +2,34 @@
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.4 of the Apache HTTP Server
- ("Apache"). This version of Apache is principally a bugfix release.
+ ("Apache"). This version of Apache is principally a bug and security fix
+ release. The following potential security flaws are addressed:
+
+ * CVE-2007-3847 (cve.mitre.org)
+ mod_proxy: Prevent reading past the end of a buffer when parsing
+ date-related headers. PR 41144.
+
+ * CVE-2007-1863 (cve.mitre.org)
+ mod_cache: Prevent a segmentation fault if attributes are listed in a
+ Cache-Control header without any value.
+
+ * CVE-2007-3304 (cve.mitre.org)
+ prefork, worker, event MPMs: Ensure that the parent process cannot
+ be forced to kill processes outside its process group.
+
+ * CVE-2006-5752 (cve.mitre.org)
+ mod_status: Fix a possible XSS attack against a site with a public
+ server-status page and ExtendedStatus enabled, for browsers which
+ perform charset "detection". Reported by Stefan Esser.
+
+ * CVE-2007-1862 (cve.mitre.org)
+ mod_mem_cache: Copy headers into longer lived storage; header names and
+ values could previously point to cleaned up storage. PR 41551.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
- Apache HTTP Server 2.2.4 is available for download from:
+ Apache HTTP Server 2.2.5 is available for download from:
http://httpd.apache.org/download.cgi
@@ -17,20 +39,22 @@
http://httpd.apache.org/docs/2.2/new_features_2_2.html
- Please see the CHANGES_2.2 file, linked from the download page, for
- a full list of changes. A summary of security vulnerabilities which
- were addressed in the previous 2.2.3 and earlier releases is available:
-
+ Please see the CHANGES_2.2 file, linked from the download page, for a
+ full list of changes. A condensed list, CHANGES_2.2.5 provides the
+ complete list of changes since 2.2.4. A summary of security vulnerabilities
+ which were addressed in the previous 2.2.4 and earlier releases is
+ available:
+
http://httpd.apache.org/security/vulnerabilities_22.html
- Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also currently
+ Apache HTTP Server 1.3.38 and 2.0.60 legacy releases are also currently
available. See the appropriate CHANGES from the url above. See the
corresponding CHANGES files linked from the download page. The Apache
HTTP Project developers strongly encourage all users to migrate to
Apache 2.2, as only limited maintenance is performed on these legacy
versions.
- This release includes the Apache Portable Runtime (APR) version 1.2.8
+ This release includes the Apache Portable Runtime (APR) version 1.2.9
bundled with the tar and zip distributions. The APR libraries libapr
and libaprutil (and on Win32, libapriconv) must all be updated to ensure
binary compatibility and address many known platform bugs.
Modified: httpd/site/trunk/dist/README.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/README.html?view=diff&rev=563606&r1=563605&r2=563606
==============================================================================
--- httpd/site/trunk/dist/README.html (original)
+++ httpd/site/trunk/dist/README.html Tue Aug 7 11:31:12 2007
@@ -46,13 +46,13 @@
<pre>
% pgpk -a KEYS
-% pgpv httpd-2.2.3.tar.gz.asc
+% pgpv httpd-2.2.5.tar.gz.asc
<i>or</i>,
% pgp -ka KEYS
-% pgp httpd-2.2.3.tar.gz.asc
+% pgp httpd-2.2.5.tar.gz.asc
<i>or</i>,
% gpg --import KEYS
-% gpg --verify httpd-2.2.3.tar.gz.asc
+% gpg --verify httpd-2.2.5.tar.gz.asc
</pre>
<p>We offer MD5 hashes as an alternative to validate the integrity