You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2002/03/21 17:59:13 UTC
cvs commit: apache-1.3/src/include httpd.h
jim 02/03/21 08:59:13
Modified: . Announcement
src/include httpd.h
Log:
ready to tag 1.3.24
Revision Changes Path
1.83 +14 -8 apache-1.3/Announcement
Index: Announcement
===================================================================
RCS file: /home/cvs/apache-1.3/Announcement,v
retrieving revision 1.82
retrieving revision 1.83
diff -u -r1.82 -r1.83
--- Announcement 19 Mar 2002 20:04:37 -0000 1.82
+++ Announcement 21 Mar 2002 16:59:12 -0000 1.83
@@ -3,15 +3,19 @@
The Apache Software Foundation and The Apache Server Project are
pleased to announce the release of version 1.3.24 of the Apache HTTP
- server. This Announcement notes the significant changes in 1.3.24.
+ server. This Announcement notes the significant changes in 1.3.24.
- This version of Apache is principally a bug fix release. A summary of
- the bug fixes and major new features is given at the end of this
- document.
+ This version of Apache is principally a security and bug fix release.
+ A summary of the bug fixes and major new features is given at the end
+ of this document. Of particular note is that 1.3.24 addresses and
+ fixes the issues noted in CAN-2002-0061 (mitre.org) regarding escaping
+ of command line args on Win32. We would like to thank Ory Segal
+ <OR...@SANCTUMINC.COM> for discovering and reporting the
+ vulnerability.
We consider Apache 1.3.24 to be the best version of Apache available
and we strongly recommend that users of older versions, especially of
- the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
+ the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
releases will be made in the 1.2.x family.
Apache 1.3.24 is available for download from
@@ -31,7 +35,7 @@
http://www.apache.org/mirrors/
As of Apache 1.3.17, Win32 binary distributions are now based on the
- Microsoft Installer (.MSI) technology. This change occurred in order to
+ Microsoft Installer (.MSI) technology. This change occurred in order to
resolve the many problems WinME and Win2K users experienced with the
older InstallShield-based installer.exe file. While development
continues to make this new installation method more robust, questions
@@ -61,15 +65,17 @@
variants.
IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have come
- to trust Apache as a secure and stable server. It must be realized
+ to trust Apache as a secure and stable server. It must be realized
that the current Win32 code has not yet reached the levels of the Unix
- version, but is of acceptable quality. Win32 stability or security
+ version, but is of acceptable quality. Win32 stability or security
problems do not reflect on the Unix version.
Apache 1.3.24 Major changes
Security vulnerabilities
+ * Fix the security vulnerability noted in CAN-2002-0061 (mitre.org)
+ regarding the escaping of command line args on Win32.
* Prevent invalid client hostnames from appearing in the log file.
New features
1.356 +1 -1 apache-1.3/src/include/httpd.h
Index: httpd.h
===================================================================
RCS file: /home/cvs/apache-1.3/src/include/httpd.h,v
retrieving revision 1.355
retrieving revision 1.356
diff -u -r1.355 -r1.356
--- httpd.h 21 Mar 2002 16:01:31 -0000 1.355
+++ httpd.h 21 Mar 2002 16:59:13 -0000 1.356
@@ -436,7 +436,7 @@
#define SERVER_BASEVENDOR "Apache Group"
#define SERVER_BASEPRODUCT "Apache"
-#define SERVER_BASEREVISION "1.3.24-dev"
+#define SERVER_BASEREVISION "1.3.24"
#define SERVER_BASEVERSION SERVER_BASEPRODUCT "/" SERVER_BASEREVISION
#define SERVER_PRODUCT SERVER_BASEPRODUCT
Re: cvs commit: apache-1.3/src/include httpd.h
Posted by Cliff Woolley <jw...@virginia.edu>.
On 21 Mar 2002 jim@apache.org wrote:
> + This version of Apache is principally a security and bug fix release.
> + A summary of the bug fixes and major new features is given at the end
> + of this document. Of particular note is that 1.3.24 addresses and
> + fixes the issues noted in CAN-2002-0061 (mitre.org) regarding escaping
> + of command line args on Win32. We would like to thank Ory Segal
> + <OR...@SANCTUMINC.COM> for discovering and reporting the
> + vulnerability.
In hindsight, it would have been nice if we had credited Owen Cliffe
<oc...@cs.bath.ac.uk> with reporting the mod_include issue somewhere
CHANGES? Announcement?.
Too late I guess. :(
--------------------------------------------------------------
Cliff Woolley
cliffwoolley@yahoo.com
Charlottesville, VA