You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by ji...@apache.org on 2002/03/21 17:59:13 UTC

cvs commit: apache-1.3/src/include httpd.h

jim         02/03/21 08:59:13

  Modified:    .        Announcement
               src/include httpd.h
  Log:
  ready to tag 1.3.24
  
  Revision  Changes    Path
  1.83      +14 -8     apache-1.3/Announcement
  
  Index: Announcement
  ===================================================================
  RCS file: /home/cvs/apache-1.3/Announcement,v
  retrieving revision 1.82
  retrieving revision 1.83
  diff -u -r1.82 -r1.83
  --- Announcement	19 Mar 2002 20:04:37 -0000	1.82
  +++ Announcement	21 Mar 2002 16:59:12 -0000	1.83
  @@ -3,15 +3,19 @@
   
      The Apache Software Foundation and The Apache Server Project are
      pleased to announce the release of version 1.3.24 of the Apache HTTP
  -   server. This Announcement notes the significant changes in 1.3.24.
  +   server.  This Announcement notes the significant changes in 1.3.24.
   
  -   This version of Apache is principally a bug fix release.  A summary of
  -   the bug fixes and major new features is given at the end of this
  -   document.
  +   This version of Apache is principally a security and bug fix release.
  +   A summary of the bug fixes and major new features is given at the end
  +   of this document.  Of particular note is that 1.3.24 addresses and
  +   fixes the issues noted in CAN-2002-0061 (mitre.org) regarding escaping
  +   of command line args on Win32.  We would like to thank Ory Segal
  +   <OR...@SANCTUMINC.COM> for discovering and reporting the
  +   vulnerability.
   
      We consider Apache 1.3.24 to be the best version of Apache available
      and we strongly recommend that users of older versions, especially of
  -   the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
  +   the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
      releases will be made in the 1.2.x family.
   
      Apache 1.3.24 is available for download from
  @@ -31,7 +35,7 @@
          http://www.apache.org/mirrors/
   
      As of Apache 1.3.17, Win32 binary distributions are now based on the
  -   Microsoft Installer (.MSI) technology. This change occurred in order to
  +   Microsoft Installer (.MSI) technology.  This change occurred in order to
      resolve the many problems WinME and Win2K users experienced with the
      older InstallShield-based installer.exe file.  While development
      continues to make this new installation method more robust, questions
  @@ -61,15 +65,17 @@
      variants.
   
      IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have come
  -   to trust Apache as a secure and stable server. It must be realized
  +   to trust Apache as a secure and stable server.  It must be realized
      that the current Win32 code has not yet reached the levels of the Unix
  -   version, but is of acceptable quality. Win32 stability or security
  +   version, but is of acceptable quality.  Win32 stability or security
      problems do not reflect on the Unix version.
   
                        Apache 1.3.24 Major changes
   
     Security vulnerabilities
   
  +     * Fix the security vulnerability noted in CAN-2002-0061 (mitre.org)
  +       regarding the escaping of command line args on Win32.
        * Prevent invalid client hostnames from appearing in the log file.
   
     New features
  
  
  
  1.356     +1 -1      apache-1.3/src/include/httpd.h
  
  Index: httpd.h
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/include/httpd.h,v
  retrieving revision 1.355
  retrieving revision 1.356
  diff -u -r1.355 -r1.356
  --- httpd.h	21 Mar 2002 16:01:31 -0000	1.355
  +++ httpd.h	21 Mar 2002 16:59:13 -0000	1.356
  @@ -436,7 +436,7 @@
   
   #define SERVER_BASEVENDOR   "Apache Group"
   #define SERVER_BASEPRODUCT  "Apache"
  -#define SERVER_BASEREVISION "1.3.24-dev"
  +#define SERVER_BASEREVISION "1.3.24"
   #define SERVER_BASEVERSION  SERVER_BASEPRODUCT "/" SERVER_BASEREVISION
   
   #define SERVER_PRODUCT  SERVER_BASEPRODUCT

Re: cvs commit: apache-1.3/src/include httpd.h

Posted by Cliff Woolley <jw...@virginia.edu>.

On 21 Mar 2002 jim@apache.org wrote:

>   +   This version of Apache is principally a security and bug fix release.
>   +   A summary of the bug fixes and major new features is given at the end
>   +   of this document.  Of particular note is that 1.3.24 addresses and
>   +   fixes the issues noted in CAN-2002-0061 (mitre.org) regarding escaping
>   +   of command line args on Win32.  We would like to thank Ory Segal
>   +   <OR...@SANCTUMINC.COM> for discovering and reporting the
>   +   vulnerability.

In hindsight, it would have been nice if we had credited Owen Cliffe
<oc...@cs.bath.ac.uk> with reporting the mod_include issue somewhere
CHANGES?  Announcement?.

Too late I guess.  :(


--------------------------------------------------------------
   Cliff Woolley
   cliffwoolley@yahoo.com
   Charlottesville, VA