You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by pq...@apache.org on 2005/09/09 03:02:50 UTC
svn commit: r279681 - in /httpd/httpd/dist: Announcement21.html
Announcement21.txt
Author: pquerna
Date: Thu Sep 8 18:02:48 2005
New Revision: 279681
URL: http://svn.apache.org/viewcvs?rev=279681&view=rev
Log:
Remove the security bits from 2.1.6.
Modified:
httpd/httpd/dist/Announcement21.html
httpd/httpd/dist/Announcement21.txt
Modified: httpd/httpd/dist/Announcement21.html
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement21.html?rev=279681&r1=279680&r2=279681&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement21.html (original)
+++ httpd/httpd/dist/Announcement21.html Thu Sep 8 18:02:48 2005
@@ -21,22 +21,6 @@
HTTP Server ("Apache"). This beta release should not be presumed to
be compatible with binaries built against any prior or future version.</p>
-<p>The 2.1.7-beta release addresses a security vulnerability present
- in all previous 2.x versions. This fault did not affect Apache 1.3.x
- (which did not proxy keepalives or chunked transfer encoding);
- <dl>
- <dd>
- Proxy HTTP: If a response contains both Transfer-Encoding
- and a Content-Length, remove the Content-Length to eliminate
- an HTTP Request Smuggling vulnerability and don't reuse the
- connection, stopping some HTTP Request Spoofing attacks.
- </dd>
- </dl>
-
-<p>The Apache HTTP Server Project thanks the Watchfire team of Linhart,
- Klein, Heled and Orrin for the responsible notification and disclosure
- of this information.</p>
-
<p>Apache HTTP Server 2.1.7-beta is available for download from:</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi">http://httpd.apache.org/download.cgi</a></dd>
Modified: httpd/httpd/dist/Announcement21.txt
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement21.txt?rev=279681&r1=279680&r2=279681&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement21.txt (original)
+++ httpd/httpd/dist/Announcement21.txt Thu Sep 8 18:02:48 2005
@@ -5,19 +5,6 @@
HTTP Server ("Apache"). This beta release should not be presumed to
be compatible with binaries built against any prior or future version.
- The 2.1.7-beta release addresses a security vulnerability present
- in all previous 2.x versions. This fault did not affect Apache 1.3.x
- (which did not proxy keepalives or chunked transfer encoding);
-
- Proxy HTTP: If a response contains both Transfer-Encoding
- and a Content-Length, remove the Content-Length to eliminate
- an HTTP Request Smuggling vulnerability and don't reuse the
- connection, stopping some HTTP Request Spoofing attacks.
-
- The Apache HTTP Server Project thanks the Watchfire team of Linhart,
- Klein, Heled and Orrin for the responsible notification and disclosure
- of this information.
-
Apache HTTP Server 2.1.7-beta is available for download from:
http://httpd.apache.org/download.cgi