You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by pq...@apache.org on 2005/09/09 03:02:50 UTC

svn commit: r279681 - in /httpd/httpd/dist: Announcement21.html Announcement21.txt

Author: pquerna
Date: Thu Sep  8 18:02:48 2005
New Revision: 279681

URL: http://svn.apache.org/viewcvs?rev=279681&view=rev
Log:
Remove the security bits from 2.1.6.

Modified:
    httpd/httpd/dist/Announcement21.html
    httpd/httpd/dist/Announcement21.txt

Modified: httpd/httpd/dist/Announcement21.html
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement21.html?rev=279681&r1=279680&r2=279681&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement21.html (original)
+++ httpd/httpd/dist/Announcement21.html Thu Sep  8 18:02:48 2005
@@ -21,22 +21,6 @@
    HTTP Server ("Apache").  This beta release should not be presumed to 
    be compatible with binaries built against any prior or future version.</p>
 
-<p>The 2.1.7-beta release addresses a security vulnerability present
-   in all previous 2.x versions.  This fault did not affect Apache 1.3.x 
-   (which did not proxy keepalives or chunked transfer encoding);
-   <dl>
-     <dd>
-       Proxy HTTP: If a response contains both Transfer-Encoding 
-       and a Content-Length, remove the Content-Length to eliminate 
-       an HTTP Request Smuggling vulnerability and don't reuse the
-       connection, stopping some HTTP Request Spoofing attacks.
-     </dd>
-   </dl>
-
-<p>The Apache HTTP Server Project thanks the Watchfire team of Linhart,
-   Klein, Heled and Orrin for the responsible notification and disclosure 
-   of this information.</p>
-
 <p>Apache HTTP Server 2.1.7-beta is available for download from:</p>
 <dl>
   <dd><a href="http://httpd.apache.org/download.cgi">http://httpd.apache.org/download.cgi</a></dd>

Modified: httpd/httpd/dist/Announcement21.txt
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement21.txt?rev=279681&r1=279680&r2=279681&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement21.txt (original)
+++ httpd/httpd/dist/Announcement21.txt Thu Sep  8 18:02:48 2005
@@ -5,19 +5,6 @@
    HTTP Server ("Apache"). This beta release should not be presumed to 
    be compatible with binaries built against any prior or future version.
 
-   The 2.1.7-beta release addresses a security vulnerability present
-   in all previous 2.x versions.  This fault did not affect Apache 1.3.x 
-   (which did not proxy keepalives or chunked transfer encoding);
-
-       Proxy HTTP: If a response contains both Transfer-Encoding 
-       and a Content-Length, remove the Content-Length to eliminate 
-       an HTTP Request Smuggling vulnerability and don't reuse the
-       connection, stopping some HTTP Request Spoofing attacks.
-
-   The Apache HTTP Server Project thanks the Watchfire team of Linhart,
-   Klein, Heled and Orrin for the responsible notification and disclosure 
-   of this information.
-
    Apache HTTP Server 2.1.7-beta is available for download from:
 
        http://httpd.apache.org/download.cgi