You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bu...@apache.org on 2012/05/06 16:18:10 UTC
svn commit: r816029 [19/23] - in /websites/staging/httpd/trunk/content: ./
apreq/ apreq/docs/ apreq/docs/libapreq2/ contributors/ css/ dev/
dev/images/ dev/whiteboard/ docs-project/ docs/ images/ info/
info/css-security/ library/ mod_fcgid/ mod_ftp/ mo...
Added: websites/staging/httpd/trunk/content/library/index.html
==============================================================================
--- websites/staging/httpd/trunk/content/library/index.html (added)
+++ websites/staging/httpd/trunk/content/library/index.html Sun May 6 14:18:02 2012
@@ -0,0 +1,71 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<HTML>
+<HEAD>
+<TITLE>Apache Project Library</TITLE>
+</HEAD>
+
+<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
+<BODY
+ BGCOLOR="#FFFFFF"
+ TEXT="#000000"
+ LINK="#0000FF"
+ VLINK="#000080"
+ ALINK="#FF0000"
+>
+<IMG SRC="../images/apache_sub.gif" ALT="">
+<H1>Apache Project Library</H1>
+
+<HR>
+
+<H3>Organisations and Working Groups</H3>
+<UL>
+ <LI><STRONG>Web Organisations</STRONG></LI>
+ <UL>
+ <LI><A HREF="http://www.w3.org/">World Wide Web Consortium</A> (W3C)</LI>
+ </UL>
+ <LI><STRONG>IETF Working Groups</STRONG></LI>
+ <UL>
+ <LI><A HREF="http://www.ics.uci.edu/pub/ietf/http/">HTTP</A></LI>
+ <LI><A HREF="http://www.ietf.org/html.charters/OLD/wts-charter.html">Web Transaction Security</A></LI>
+ <LI><A HREF="http://www.ics.uci.edu/pub/ietf/webdav/">WebDAV (HTTP Distributed Authoring and Versioning)</A></LI>
+ <LI><A HREF="http://www.ics.uci.edu/pub/ietf/dasl/">DASL (DAV Searching & Locating)</A></LI>
+ <LI><A HREF="http://www.ics.uci.edu/pub/ietf/html/">HTML</A></LI>
+ <LI><A HREF="http://www.ics.uci.edu/pub/ietf/uri/">URI</A></LI>
+ </UL>
+</UL>
+
+
+<H3>Protocol Specs and Related Info</H3>
+<UL>
+ <LI><STRONG><A HREF="http://www.w3.org/pub/WWW/Protocols/">Hypertext Transfer Protocol</A> (HTTP)</STRONG></LI>
+ <UL>
+ <LI><A HREF="http://www.w3.org/pub/WWW/Protocols/rfc1945/rfc1945">RFC1945: HTTP 1.0</A> (Deprecated Standard)</LI>
+ <LI><A HREF="http://www.w3.org/pub/WWW/Protocols/rfc2068/rfc2068">RFC2068: HTTP 1.1</A> (Proposed Standard)</LI>
+ <LI><A HREF="http://www.ics.uci.edu/pub/ietf/uri/rfc2396.txt">RFC2396: Uniform Resource Identifiers</A> (Draft Standard)</LI>
+ </UL>
+ <LI><STRONG><A HREF="http://www.w3.org/MarkUp/">Hypertext Markup Language</A> (HTML)</STRONG></LI>
+ <UL>
+ <LI><A HREF="http://www.ics.uci.edu/pub/ietf/html/rfc1866.txt">RFC1866: HTML 2.0</A></LI>
+ <LI><A HREF="http://www.w3.org/TR/REC-html32.html">Reference Spec: HTML 3.2</A></LI>
+ <LI><A HREF="http://www.w3.org/TR/REC-html40/">Reference Spec: HTML 4.0</A></LI>
+ </UL>
+ <LI><STRONG><A HREF="http://www.webreference.com/index2.html">Related Stuff</A></STRONG></LI>
+ <UL>
+ <LI><A HREF="http://hoohoo.ncsa.uiuc.edu/cgi/">Common Gateway Interface - CGI/1.1</A></LI>
+ <LI><A HREF="ftp://ftp.iana.org/in-notes/iana/assignments/media-types/">Internet media types</A></LI>
+ <LI><A HREF="http://www.w3.org/Daemon/User/Config/Logging.html">Logging in CERN httpd</A></LI>
+ </UL>
+</UL>
+
+<H3>Frequently Asked Questions (FAQs)</H3>
+<UL>
+<LI><A HREF="http://web.superb.net/FAQ/">FAQ Finder</A></LI>
+<LI><A HREF="http://www.boutell.com/faq/">World Wide Web FAQ</A></LI>
+</UL>
+
+
+<HR>
+
+<A HREF="../"><IMG SRC="../images/apache_home.gif" ALT="Home"></A>
+</BODY>
+</HTML>
Added: websites/staging/httpd/trunk/content/lists.html
==============================================================================
--- websites/staging/httpd/trunk/content/lists.html (added)
+++ websites/staging/httpd/trunk/content/lists.html Sun May 6 14:18:02 2012
@@ -0,0 +1,385 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+ <link href="/css/apsite.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
+ <meta name="author" content="Documentation Group" /><meta name="email" content="docs@httpd.apache.org" />
+ <title>Welcome! - The Apache HTTP Server Project</title>
+ </head>
+ <body>
+
+ <div id="page-header">
+ <p class="menu"> </p>
+ <p class="apache"> </p>
+ <a href="/">
+ <img alt="" width="800" height="72" src="/images/httpd_logo_wide_new.png" border="0" />
+ </a>
+ </div>
+
+
+ <!-- LEFT SIDE NAVIGATION -->
+ <div id="apmenu">
+
+ <div class="codehilite"><pre> <span class="c"># Essentials</span>
+</pre></div>
+
+
+<ul>
+<li><a href="ABOUT_APACHE.html">About</a></li>
+<li><a href="http://www.apache.org/licenses/">License</a></li>
+<li><a href="http://wiki.apache.org/httpd/FAQ">FAQ</a></li>
+<li><a href="/security_report.html">Secutiry Reports</a></li>
+</ul>
+<h1 id="download">Download!</h1>
+<ul>
+<li><a href="/download.cgi">From a Mirror</a></li>
+</ul>
+<h1 id="documentation">Documentation</h1>
+<ul>
+<li><a href="/docs/2.4/">Version 2.4</a></li>
+<li><a href="/docs/2.2/">Version 2.2</a></li>
+<li><a href="/docs/2.0/">Version 2.0</a></li>
+<li><a href="/docs/trunk/">Trunk (dev)</a></li>
+</ul>
+<h1 id="get-support">Get Support</h1>
+<ul>
+<li><a href="/support.html">Support</a></li>
+</ul>
+<h1 id="get-involved">Get Involved</h1>
+<ul>
+<li><a href="/lists.html">Mailing Lists</a></li>
+<li><a href="/bug_report.html">Bug Reports</a></li>
+<li><a href="/dev/">Developer Info</a></li>
+</ul>
+<h1 id="subprojects">Subprojects</h1>
+<ul>
+<li><a href="/docs-project/">Docs</a></li>
+<li><a href="/test/">Test</a></li>
+<li><a href="/test/flood/">Flood</a></li>
+<li><a href="/apreq/">libapreq</a></li>
+<li><a href="/modules">Modules</a></li>
+<li><a href="/mod_fcgid/">mod_fcgid</a></li>
+<li><a href="/mod_ftp/">mod_ftp</a></li>
+</ul>
+<h1 id="miscellaneous">Miscellaneous</h1>
+<ul>
+<li><a href="/contributors/">Contributors</a></li>
+<li><a href="http://www.apache.org/foundation/thanks.html">Sponsors</a></li>
+<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+</ul>
+
+ </div>
+
+
+ <!-- RIGHT SIDE INFORMATION -->
+ <div id="apcontents">
+
+ <h1 id="apache-http-server-mailing-lists">Apache HTTP Server Mailing Lists</h1>
+<p>The following mailing lists relate to the Apache HTTP Server project. Users should consider subscribing to the <a href="#http-announce">Announcements</a> or <a href="#http-users">User Support</a> mailing lists. Other lists are for people interested in helping with the development and debugging of the server.</p>
+<p>Formatted archives are available in several places including <a href="http://mail-archives.apache.org/mod_mbox/">the Apache Mail Archives</a> , <a href="http://httpd.markmail.org/">MarkMail</a> , and <a href="http://marc.theaimsgroup.com/">MARC</a> . Raw mbox archives for most lists are available at <a href="http://httpd.apache.org/mail/">http://httpd.apache.org/mail/</a> . You can also use the mail-to-news <a href="nntp://news.gmane.org/">gateway</a> offered by <a href="http://news.gmane.org/index.php?match=gmane.comp.apache">GMANE</a> to access most of the lists with a news reader.</p>
+<ul>
+<li>
+<p><a href="#http-announce">Apache Server Announcements</a> </p>
+</li>
+<li>
+<p><a href="#http-users">User Support and Discussion</a> </p>
+</li>
+<li>
+<p><a href="#http-dev">Apache HTTP Server Development Main Discussion List</a> </p>
+</li>
+<li>
+<p><a href="#http-bugdb">Apache HTTP Server Bug Reports List</a> </p>
+</li>
+<li>
+<p><a href="#http-cvs">Source Change Reports</a> </p>
+</li>
+<li>
+<p><a href="#http-docs">Apache HTTP Server Documentation Project</a> </p>
+</li>
+<li>
+<p><a href="#modules-dev">Third-Party Module Authors' List</a> </p>
+</li>
+<li>
+<p><a href="#http-modules">HTTP Third-Party Module Directory</a> </p>
+</li>
+<li>
+<p><a href="#http-proxydev">Proxy Module Rework Discussion List</a> </p>
+</li>
+</ul>
+<h1 id="http-announce">Apache Server Announcements</h1>
+<p>The <code>announce@httpd.apache.org</code> mailing list is used to announce major releases and other important information about the Apache HTTP Server project. Messages are posted only by the Foundation; there is no discussion.</p>
+<table>
+<thead>
+<tr>
+<th>Volume:</th>
+<th>Very low</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>Unsubscription address:</td>
+<td><a href="mailto:announce-unsubscribe@httpd.Apache.Org">announce-unsubscribe@httpd.apache.org</a></td>
+</tr>
+<tr>
+<td>Getting help with the list:</td>
+<td><a href="mailto:announce-help@httpd.apache.org">announce-help@httpd.apache.org</a></td>
+</tr>
+<tr>
+<td>Archives:</td>
+<td></td>
+</tr>
+</tbody>
+</table>
+<ul>
+<li>
+<p><a href="http://mail-archives.apache.org/mod_mbox/httpd-announce/">Apache mailing list archives</a> </p>
+</li>
+<li>
+<p>Raw gzipped <a href="http://httpd.apache.org/mail/announce/">mbox files</a> </p>
+</li>
+<li>
+<p><a href="http://marc.theaimsgroup.com/?l=apache-httpd-announce">Mailing list archives</a> at MARC</p>
+</li>
+<li>
+<p>Available back to 27 October 1999. Send a message to <a href="mailto:announce-help@httpd.apache.org">announce-help@httpd.apache.org</a> for information about accessing the archives.
+ |</p>
+</li>
+</ul>
+<h1 id="http-users">User Support and Discussion</h1>
+<p>The lists and discussion groups listed here are the <strong>only</strong> place that configuration and how-to questions belong, ever. Every day, users become frustrated, not with Apache, but with how nobody will help them understand how to get started. 95% of the time, it's not for lack of helpers, but for lack of effort and well stated questions.</p>
+<p>Before you go further, please read Eric S. Raymond and Rick Moen's explanation of <a href="http://www.catb.org/~esr/faqs/smart-questions.html">"How To Ask Questions The Smart Way"</a> . If you follow their advice, you will discover that these forums have dozens of helpers ready to provide you with guidance on using the Apache HTTP Server! <strong>Note: Do not sent your Apache questions to Eric or Rick!</strong> </p>
+<p>There are now a few <strong>Apache HTTP Server Users Mailing Lists</strong> available in different languages.</p>
+<p>They are described on separate pages:</p>
+<ul>
+<li>
+<p><a href="userslist.html"></a> </p>
+</li>
+<li>
+<p><a href="usersdelist.html"></a> </p>
+</li>
+</ul>
+<p>In addition, there are a few usenet discussion groups in which discussions about the server can be found. These include:</p>
+<ul>
+<li>
+<p>comp.infosystems.www.servers.unix [ <a href="nntp://comp.infosystems.www.servers.unix">nntp</a> ] [ <a href="http://groups.google.com/groups?group=comp.infosystems.www.servers.unix">google</a> ]</p>
+</li>
+<li>
+<p>comp.infosystems.www.servers.ms-windows [ <a href="nntp://comp.infosystems.www.servers.ms-windows">nntp</a> ] [ <a href="http://groups.google.com/groups?group=comp.infosystems.www.servers.ms-windows">google</a> ]</p>
+</li>
+<li>
+<p>comp.infosystems.www.authoring.cgi [ <a href="nntp://comp.infosystems.www.authoring.cgi">nntp</a> ] [ <a href="http://groups.google.com/groups?group=comp.infosystems.www.authoring.cgi">google</a> ]</p>
+</li>
+<li>
+<p>de.comm.software.webserver<small>( <em>german</em> )</small>[ <a href="nntp://de.comm.software.webserver">nntp</a> ] [ <a href="http://groups.google.com/groups?de.comm.software.webserver">google</a> ]</p>
+</li>
+</ul>
+<h1 id="http-dev">Apache HTTP Server Development Main Discussion List</h1>
+<p>The <code>dev@httpd.apache.org</code> mailing list is used for discussions about the actual development of the server. All httpd candidates for release are announced to this list prior to acceptance. Subscribers to this list are encouraged to 'test-drive' these candidates just before they're generally released, and provide their feedback in a [vote] thread. Note these candidates are <strong>NOT</strong> yet released, and should not be carried on announcement channels, until the testing is complete and they have been voted as released on the dev@ list.
+Configuration and support questions should be addressed to a <a href="#http-users">user support group</a> . This list is only for discussion of changes to the source code and related issues. Other questions are likely to be ignored.
+| Volume: | Moderate to High |
+| Subscription address: | <a href="mailto:dev-subscribe@httpd.apache.org">dev-subscribe@httpd.apache.org</a> ( <strong>Not a user support list!</strong> ) |
+| Digest subscription address: | <a href="mailto:dev-digest-subscribe@httpd.apache.org">dev-digest-subscribe@httpd.apache.org</a> |
+| Unsubscription address: | <a href="mailto:dev-unsubscribe@httpd.apache.org">dev-unsubscribe@httpd.apache.org</a> |
+| Getting help with the list: | <a href="mailto:dev-help@httpd.apache.org">dev-help@httpd.apache.org</a> , <a href="mailto:dev-digest-help@httpd.apache.org">dev-digest-help@httpd.apache.org</a> |
+| Searchable Archives: | </p>
+<ul>
+<li>
+<p><a href="http://mail-archives.apache.org/mod_mbox/httpd-dev/">Apache mailing list archives</a> </p>
+</li>
+<li>
+<p>Raw gzipped <a href="http://httpd.apache.org/mail/dev/">mbox files</a> </p>
+</li>
+<li>
+<p><a href="http://marc.theaimsgroup.com/?l=apache-new-httpd">Mailing list archives</a> at MARC</p>
+</li>
+<li>
+<p><a href="http://www.mail-archive.com/dev%40httpd.apache.org/">Mail-Archive.Com</a> </p>
+</li>
+<li>
+<p><a href="http://groups.yahoo.com/group/new-httpd/">Yahoo Groups</a>
+ |
+| Mail-To-News gateway: | <a href="nntp://news.gmane.org/gmane.comp.apache.devel">gmane.comp.apache.devel</a> |</p>
+</li>
+</ul>
+<h1 id="http-bugdb">Apache HTTP Server Bug Reports List</h1>
+<p>This is the mailing list to which all activity in the <a href="http://issues.apache.org/bugzilla/">problem report database</a> is logged. If you are a member of this list, you will receive a message each time a report is added or modified.</p>
+<p>If you take ownership of bug by assigning it to yourself, please remember to add this mailing list to the cc: list so that the list continues to receive updates.</p>
+<table>
+<thead>
+<tr>
+<th>Volume:</th>
+<th>Medium</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>Unsubscription addresses:</td>
+<td><a href="mailto:bugs-unsubscribe@httpd.apache.org">bugs-unsubscribe@httpd.apache.org</a></td>
+</tr>
+<tr>
+<td>Getting help with the list:</td>
+<td><a href="mailto:bugs-help@httpd.apache.org">bugs-help@httpd.apache.org</a></td>
+</tr>
+<tr>
+<td>Searchable Archives:</td>
+<td></td>
+</tr>
+</tbody>
+</table>
+<ul>
+<li>
+<p><a href="http://mail-archives.apache.org/mod_mbox/httpd-bugs/">Apache mailing list archives</a> </p>
+</li>
+<li>
+<p>Raw gzipped <a href="http://httpd.apache.org/mail/bugs/">mbox files</a> </p>
+</li>
+<li>
+<p><a href="http://marc.theaimsgroup.com/?l=apache-httpd-bugs">Mailing list archives</a> at MARC
+ |
+| Mail-To-News gateway: | <a href="nntp://news.gmane.org/gmane.comp.apache.bugs">gmane.comp.apache.bugs</a> |</p>
+</li>
+</ul>
+<h1 id="http-cvs">Source Change Reports</h1>
+<p>This mailing list is used to notify developers and other interested parties of changes applied to the master Subversion repository. As changes are applied, Subversion log messages are sent to all subscribers. (The list name is an artifact of the fact that we used to use CVS.)</p>
+<table>
+<thead>
+<tr>
+<th>Volume:</th>
+<th>Low to moderate</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>Unsubscription addresses:</td>
+<td><a href="mailto:cvs-unsubscribe@httpd.apache.org">cvs-unsubscribe@httpd.apache.org</a></td>
+</tr>
+<tr>
+<td>Getting help with the list:</td>
+<td><a href="mailto:cvs-help@httpd.apache.org">cvs-help@httpd.apache.org</a></td>
+</tr>
+<tr>
+<td>Searchable Archives:</td>
+<td></td>
+</tr>
+</tbody>
+</table>
+<ul>
+<li>
+<p><a href="http://mail-archives.apache.org/mod_mbox/httpd-cvs/">Apache mailing list archives</a> </p>
+</li>
+<li>
+<p>Raw gzipped <a href="http://httpd.apache.org/mail/cvs/">mbox files</a> </p>
+</li>
+<li>
+<p><a href="http://marc.theaimsgroup.com/?l=apache-cvs">Mailing list archives</a> at MARC
+ |
+| Mail-To-News gateway: | <a href="nntp://news.gmane.org/gmane.comp.apache.cvs">gmane.comp.apache.cvs</a> |</p>
+</li>
+</ul>
+<h1 id="http-docs">Apache HTTP Server Documentation Project</h1>
+<p>This mailing list is used by the people working on improving and translating the documentation of the Apache HTTP server. It is primarily used for discussion of changes to the documentation.</p>
+<table>
+<thead>
+<tr>
+<th>Volume:</th>
+<th>Low to moderate</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>Unsubscription addresses:</td>
+<td><a href="mailto:docs-unsubscribe@httpd.apache.org">docs-unsubscribe@httpd.apache.org</a></td>
+</tr>
+<tr>
+<td>Getting help with the list:</td>
+<td><a href="mailto:docs-help@httpd.apache.org">docs-help@httpd.apache.org</a></td>
+</tr>
+<tr>
+<td>Searchable Archives:</td>
+<td></td>
+</tr>
+</tbody>
+</table>
+<ul>
+<li>
+<p><a href="http://mail-archives.apache.org/mod_mbox/httpd-docs/">Apache mailing list archives</a> </p>
+</li>
+<li>
+<p>Raw gzipped <a href="http://httpd.apache.org/mail/docs/">mbox files</a> </p>
+</li>
+<li>
+<p><a href="http://marc.theaimsgroup.com/?l=apache-docs">Mailing list archives</a> at MARC
+ |
+| Mail-To-News gateway: | <a href="nntp://news.gmane.org/gmane.comp.apache.documentation">gmane.comp.apache.documentation</a> |</p>
+</li>
+</ul>
+<h1 id="modules-dev">Third-Party Module Authors' List</h1>
+<p>This mailing list is for people who are actually involved in writing third-party or private modules for the Apache HTTP server. It is a peer support list for programmers to discuss issues surrounding the development of web server modules using the Apache HTTP Server module and APR APIs. It was historically hosted at apache-modules@covalent.net, now closed, but still archived on MARC (see Archives, below).</p>
+<table>
+<thead>
+<tr>
+<th>Volume:</th>
+<th>Low to moderate</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>Unsubscription addresses:</td>
+<td><a href="mailto:modules-dev-unsubscribe@httpd.apache.org">modules-dev-unsubscribe@httpd.apache.org</a></td>
+</tr>
+<tr>
+<td>Getting help with the list:</td>
+<td><a href="mailto:modules-dev-help@httpd.apache.org">modules-dev-help@httpd.apache.org</a></td>
+</tr>
+<tr>
+<td>Searchable Archive:</td>
+<td><a href="http://mail-archives.apache.org/mod_mbox/httpd-modules-dev/">Browse httpd-modules-dev</a></td>
+</tr>
+<tr>
+<td>Raw Archive Files:</td>
+<td><a href="http://httpd.apache.org/mail/modules-dev/">Download raw mbox .gz files</a></td>
+</tr>
+<tr>
+<td>Historical Archive:</td>
+<td><a href="http://marc.theaimsgroup.com/?l=apache-modules">apache-modules@covalent.net</a> <br></br>(now closed) at MARC</td>
+</tr>
+</tbody>
+</table>
+<h1 id="http-modules">HTTP Third-Party Module Directory</h1>
+<p>They are not hosted, not managed and not supported by the Apache Software Foundation, but there is a third-party module directory for your reference. As a user, you can search for modules which might solve your specific requirements, and as a third-party module author you can add the modules of your own creation to the directory. Contact the specific third parties for support of their own modules.</p>
+<p>There is also an associated mailing list which broadcasts announcements of changes to the database.</p>
+<p>| Directory web interface: | <a href="http://modules.apache.org/">http://modules.apache.org/</a> |
+| Volume: | Low to moderate |
+| Subscription address: | <a href="mailto:apache-modules-announce-subscribe@covalent.net">apache-modules-announce-subscribe@covalent.net</a> |
+| Unsubscription addresses: | <a href="mailto:apache-modules-announce-unsubscribe@covalent.net">apache-modules-announce-unsubscribe@covalent.net</a> |
+| Getting help with the list: | <a href="mailto:apache-modules-announce-help@covalent.net">apache-modules-announce-help@covalent.net</a> |</p>
+<h1 id="http-proxydev">Proxy Module Rework Discussion List</h1>
+<p>This list is closed. Proxy development discussion should take place on the main dev list. Archives are still available for research. Direct all development questions to the <a href="#http-dev">Main Development Discussion List</a> .</p>
+<p>| Searchable Archives: | </p>
+<ul>
+<li>
+<p>Raw gzipped <a href="http://www.apache.org/mail/modproxy-dev/">mbox files</a> </p>
+</li>
+<li>
+<p><a href="http://marc.theaimsgroup.com/?l=apache-modproxy-dev">Mailing list archives</a> at MARC
+ |</p>
+</li>
+</ul>
+
+
+ <!-- FOOTER -->
+ <div id="footer">
+ <p class="apache">
+
+ <div class="codehilite"><pre> <span class="n">Copyright</span> <span class="o">&</span><span class="n">copy</span><span class="p">;</span> <span class="mi">2012</span> <span class="n">The</span> <span class="n">Apache</span> <span class="n">Software</span> <span class="n">Foundation</span>
+</pre></div>
+
+
+<p>Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
+
+ </p>
+ </div>
+ </div>
+ </body>
+ </html>
Added: websites/staging/httpd/trunk/content/mod_fcgid/index.en.xml
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/httpd/trunk/content/mod_fcgid/index.en.xml
------------------------------------------------------------------------------
svn:mime-type = application/xml
Added: websites/staging/httpd/trunk/content/mod_fcgid/index.html
==============================================================================
--- websites/staging/httpd/trunk/content/mod_fcgid/index.html (added)
+++ websites/staging/httpd/trunk/content/mod_fcgid/index.html Sun May 6 14:18:02 2012
@@ -0,0 +1,3 @@
+URI: index.en.html
+Content-Language: en
+Content-type: text/html; charset=utf-8
Added: websites/staging/httpd/trunk/content/mod_ftp/doap.rdf
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/httpd/trunk/content/mod_ftp/doap.rdf
------------------------------------------------------------------------------
svn:mime-type = application/xml
Added: websites/staging/httpd/trunk/content/mod_ftp/index.en.xml
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/httpd/trunk/content/mod_ftp/index.en.xml
------------------------------------------------------------------------------
svn:mime-type = application/xml
Added: websites/staging/httpd/trunk/content/mod_ftp/index.html
==============================================================================
--- websites/staging/httpd/trunk/content/mod_ftp/index.html (added)
+++ websites/staging/httpd/trunk/content/mod_ftp/index.html Sun May 6 14:18:02 2012
@@ -0,0 +1,3 @@
+URI: index.en.html
+Content-Language: en
+Content-type: text/html; charset=ISO-8859-1
Added: websites/staging/httpd/trunk/content/mod_mbox/index.xml
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/httpd/trunk/content/mod_mbox/index.xml
------------------------------------------------------------------------------
svn:mime-type = application/xml
Added: websites/staging/httpd/trunk/content/mod_mbox/install.xml
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/httpd/trunk/content/mod_mbox/install.xml
------------------------------------------------------------------------------
svn:mime-type = application/xml
Added: websites/staging/httpd/trunk/content/mod_mbox/ref.xml
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/httpd/trunk/content/mod_mbox/ref.xml
------------------------------------------------------------------------------
svn:mime-type = application/xml
Added: websites/staging/httpd/trunk/content/mod_smtpd/index.xml
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/httpd/trunk/content/mod_smtpd/index.xml
------------------------------------------------------------------------------
svn:mime-type = application/xml
Added: websites/staging/httpd/trunk/content/mod_smtpd/install.xml
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/httpd/trunk/content/mod_smtpd/install.xml
------------------------------------------------------------------------------
svn:mime-type = application/xml
Added: websites/staging/httpd/trunk/content/modules/index.xml
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/httpd/trunk/content/modules/index.xml
------------------------------------------------------------------------------
svn:mime-type = application/xml
Added: websites/staging/httpd/trunk/content/press/04apr96.txt
==============================================================================
--- websites/staging/httpd/trunk/content/press/04apr96.txt (added)
+++ websites/staging/httpd/trunk/content/press/04apr96.txt Sun May 6 14:18:02 2012
@@ -0,0 +1,52 @@
+
+For Immediate Release
+Contact: The Apache Group - apache@apache.org
+
+ APACHE GROUP ANNOUNCES THE WORLD'S MOST POPULAR WEBSERVER
+
+INTERNET - April 3, 1996 - The Apache Group today announced that their
+popular webserver, Apache, was found by the Netcraft Web Server Survey
+to be the most popular server on the Internet. The latest Netcraft
+survey found that Apache and its derivatives claimed a 29% marketshare
+as of April 1st, making it more used than any other webserver on the
+market. The NCSA server, which had previously held the number one
+position, now holds a 26% share of webservers surveyed.
+
+
+Speaking of Apache's competition in the packed World Wide Web server
+arena, Apache Group developer Alexei Kosut remarked, "While
+commercial servers are limited by profit margins and corporate
+politics, a free server like Apache is limited only by the
+imagination." In fact, the Apache Group is working furiously on a new
+version of their server, which Kosut promises will have "more new
+features than you can shake a stick at."
+
+Sameer Parekh, President of Community ConneXion, Inc., commented on
+the Apache server's suitability for high-security applications, "Time
+and time again security incidents on the Internet have shown the
+importance of having source code available for the deployment of
+secure Internet and Intranet applications. Apache is an excellent
+example of the kind of product which is suitable for high security
+applications, since the source is provided with the product allowing
+full scrutiny of its implementation."
+
+Apache is now being backed by full commercial support by a number of
+companies. Mark Cox, Technical Director of UK Web Ltd., commented
+"Sometimes organisations are hesitant to use unsupported software, but
+with commercial support they can have the peace of mind they require."
+
+"The Netcraft Web Server Survey has become a huge exercise in network
+exploration" said Mike Prettejohn, director of Netcraft, a British
+internet services company, "we are learning a great deal". The April
+Netcraft Survey found more than one hundred fifty thousand servers on
+the Internet, and the full survey results can be reached at
+http://www.netcraft.co.uk/Survey/.
+
+The Apache Group is a collection of volunteers dedicated to the
+development of a high-quality webserver for deployment throughout the
+World-Wide-Web. The Apache Group prides itself on the available
+source, open development environment, and fast bugfix turnaround.
+Information, documentation, binaries, and source for Apache is
+available from the Apache Server's main web site, at
+http://www.apache.org/
+
Added: websites/staging/httpd/trunk/content/press/05Jan98.txt
==============================================================================
--- websites/staging/httpd/trunk/content/press/05Jan98.txt (added)
+++ websites/staging/httpd/trunk/content/press/05Jan98.txt Sun May 6 14:18:02 2012
@@ -0,0 +1,92 @@
+For Release: January 5th, 1998
+
+Contact:
+Jim Jagielski
+The Apache Group
+c/o jaguNET Access Services
++1 410 931 3157
+
+Mike Prettejohn
+Netcraft, Ltd.
++44 1225 447500
+
+Sameer Parekh
+C2Net Software, Inc.
++1 510 986 8770
+
+ APACHE WEBSERVER SERVES OVER HALF THE INTERNET
+
+The Apache Web Server, from the Apache Group (http://www.apache.org/),
+now serves over half the domains on the Internet, according to the
+latest Netcraft Web Server Survey (http://www.netcraft.com/). According
+to the January 1998 survey, the Apache server and its derivatives
+serve 50.24% of the 1,834,710 sites found by Netcraft.
+
+From its humble beginnings in early 1995 as a set of patches to the
+original NCSA Web Server, the Apache Web Server has steadily grown in
+popularity as well as power and capability. The Apache server was one
+of the first Web servers to implement the HTTP/1.1 protocol, for
+example. The Apache server has become established as the dominant Web
+server, far outpacing commercial offerings from the giants Microsoft
+and Netscape.
+
+The key to the success of the Apache Web server is its dedicated
+development team. A core group of developers, known as the Apache
+Group, constantly update, fix, and improve the server in order to
+create the best server available.
+
+Another key to the Apache server's impressive popularity is that it is
+freely available via the Internet. Webmasters can quickly and easily
+download the entire source code for the server to compile it
+themselves, or they can download various precompiled and "ready to
+run" versions. Since the source code is freely available, it is easy
+for webmasters to greatly enhance the Apache Web server's capability,
+either by adding numerous "modules" which extend the server's
+functions or by editing the actual server code to suit their needs.
+
+"It really is a labour of love," said Jim Jagielski, member of the
+Apache Group. "Every one of us in the Group are committed to making
+Apache the best it can be. We are all experienced Net citizens
+and therefore have a real feel for what's needed. We also listen
+very intently to what is needed and desired by the Net community, so
+we can implement those features into Apache. And since we don't have
+the huge inertia of a commercial company to worry about, we can do it
+quicker and better than anyone else."
+
+"One of the strengths of the Apache project is that many of the core
+team and key contributors are themeselves running high profile sites,
+and so know what is required from first hand experience," said Mike
+Prettejohn, Director of Netcraft, "in particular, the support for
+virtual domains, and the server's overall stability and resilience has
+made Apache the de facto choice for ISPs and hosting companies
+throughout the world."
+
+"Apache is the ideal platform for building mission-critical web-based
+applications," said Sameer Parekh, President of C2Net Software, Inc.,
+whose Stronghold Web Server is the most widely used commercial
+Apache-based server. "Apache confuses most industry analysts because
+they have forgotten that mission-critical Internet services, from web
+services to domain name services to electronic mail, have been running
+on free software since Day One."
+
+The latest version of the Apache Web server is 1.2.4, which runs on
+most UNIX platforms. The next release of the Apache server, version 1.3,
+currently in beta test, will run on both UNIX and Microsoft Windows NT.
+
+Netcraft (http://www.netcraft.com/) is an networking consultancy based
+in Bath, England and is well known worldwide for its Web Server
+Survey, which is widely considered a primary empirical metric for the
+number of web sites and the relative popularity of web server software
+on the internet.
+
+C2Net Software, Inc. (http://www.c2.net/) is a leading provider of
+uncompromised network security software. Through its international
+offshore development programs, all C2Net products are exempt from
+U.S. government export restrictions, allowing the company to offer
+uncrippled, strong cryptography solutions to customers worldwide.
+
+The Apache Group is a group of individuals who are committed to
+developing the best web server in the world and making it freely
+available.
+
+ ###
Added: websites/staging/httpd/trunk/content/press/22Jun98.html
==============================================================================
--- websites/staging/httpd/trunk/content/press/22Jun98.html (added)
+++ websites/staging/httpd/trunk/content/press/22Jun98.html Sun May 6 14:18:02 2012
@@ -0,0 +1,110 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<HTML><HEAD>
+<TITLE>IBM joins the Apache Project,
+Plans to bundle and support the Apache HTTP Server</TITLE>
+</HEAD>
+<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
+<BODY
+ BGCOLOR="#FFFFFF"
+ TEXT="#000000"
+ LINK="#0000FF"
+ VLINK="#000080"
+ ALINK="#FF0000"
+>
+
+<IMG SRC="../images/apache_sub.gif" ALT="">
+
+<H2 align=center>IBM joins the Apache Project,<br>
+Plans to bundle and support the Apache HTTP Server</H2>
+
+<P>
+INTERNET - June 22, 1998 - The Apache Group announced today that they are
+entering into an engineering partnership with IBM for development of the
+open-source Apache HTTP server software. IBM will be contributing
+engineering manpower and technology to the project, and will be
+incorporating the award-winning Apache software into the IBM line of
+WebSphere Application Server software, as well as providing support and
+services for the Apache platform. A technical representative from IBM will
+be joining the Apache Group, which directs the Apache development effort.
+
+<P>
+The Apache Group is a non-profit international organization comprised of
+individuals who jointly develop software for serving World Wide Web pages
+from Unix and NT systems. The Apache HTTP server software is available at
+no cost, with an open-source license. Several other companies sell
+derivative products and services based on the Apache distribution. Apache
+and Apache-based software runs on over half of the Web sites on the
+Internet, according to numbers published by Netcraft Ltd.
+
+<P>
+"This is a major endorsement of the open-source software development model,
+and of the quality of the code we have developed," said Brian Behlendorf,
+Apache Group member. "IBM will benefit by having a world-class Web serving
+solution to offer to its customers; the Apache Group, and by proxy all users
+of Apache or Apache-derived software, will benefit through contributions
+back to the project by IBM developers."
+
+<P>
+Paraic Sweeney, vice president of IBM's WebSphere Application Server
+Marketing, said, "IBM is pleased to join the Apache Group, and in
+shipping the Apache HTTP Server with the WebSphere Application Server,
+IBM is providing customers with commercial grade support to a highly
+successful product across a broad range of customers."
+
+<P>
+"Open-source development efforts have existed on the Internet for as long
+as it has been around, and much of the software that makes the Internet work
+was developed that way," said Ken Coar, another member of the Apache Group.
+"It's very encouraging that IBM, a major player in the computer industry,
+is recognizing the power and value of the open-source model. By supporting
+an open-source project rather than pursuing a proprietary and competitive
+effort, IBM is helping to assure that Internet software and standards will
+be the best they can be for everyone, and not just serve a single interest.
+This way, everyone benefits."
+
+<P>
+"Apache's emphasis on developing software according to the latest Internet
+standards, and feeding that development experience back into the standards
+specification process of the Internet Engineering Taskforce (IETF), makes
+the Apache HTTP server an ideal platform for both non-profit and commercial
+products," said Roy Fielding, an Apache Group member and researcher at the
+University of California, Irvine. "IBM's involvement in the Apache Group
+gives them access to both a robust implementation of current Web technology
+and a premier forum for the development of the future Web architecture.
+Researchers call this `technology transfer,' but in the commercial world
+it is just good business sense."
+
+<P>
+"I am excited to see IBM join the large group of individuals and companies
+that develop and support open-source software," said Dean Gaudet,
+Apache Group member. "I can't help but feel that we'll see more
+companies begin experimenting with the open development model.
+It is great to be a part of this."
+
+<P>
+With this move, IBM becomes the latest in a series of commercial ventures
+to support the Apache HTTP server project, joining long-time current
+contributors <a href="http://www.c2.net/">C2Net Software</a>
+ (<http://www.c2.net/>),
+<a href="http://www.covalent.net/">Covalent Technologies</a>
+ (<http://www.covalent.net/>),
+<a href="http://www.aldigital.co.uk/">A. L. Digital</a>
+ (<http://www.aldigital.co.uk/>),
+and <a href="http://www.jaguNET.com/">jaguNET Access Services</a>
+ (<http://www.jaguNET.com>).
+
+<P>
+The Apache Group was founded in 1995 to address the need for a public,
+open-source, reference implementation of the HTTP protocol which is the
+foundation of the World Wide Web. The software is developed through a
+collaborative process, involving 18 "core" developers and hundreds of
+auxiliary contributors. More information on the
+<a href="http://www.apache.org/">Apache project</a> can be
+found at <http://www.apache.org/>.
+
+<P>
+The <a href="http://www.netcraft.com/Survey/">Netcraft Internet Web survey</a>
+can be accessed online at <http://www.netcraft.com/Survey/>.
+
+<HR>
+</BODY></HTML>
Added: websites/staging/httpd/trunk/content/press/22Jun98.txt
==============================================================================
--- websites/staging/httpd/trunk/content/press/22Jun98.txt (added)
+++ websites/staging/httpd/trunk/content/press/22Jun98.txt Sun May 6 14:18:02 2012
@@ -0,0 +1,79 @@
+
+ IBM JOINS THE APACHE PROJECT,
+
+ PLANS TO BUNDLE AND SUPPORT THE APACHE HTTP SERVER
+
+INTERNET - June 22, 1998 - The Apache Group announced today that they are
+entering into an engineering partnership with IBM for development of the
+open-source Apache HTTP server software. IBM will be contributing
+engineering manpower and technology to the project, and will be
+incorporating the award-winning Apache software into the IBM line of
+WebSphere Application Server software, as well as providing support and
+services for the Apache platform. A technical representative from IBM will
+be joining the Apache Group, which directs the Apache development effort.
+
+The Apache Group is a non-profit international organization comprised of
+individuals who jointly develop software for serving World Wide Web pages
+from Unix and NT systems. The Apache HTTP server software is available at
+no cost, with an open-source license. Several other companies sell
+derivative products and services based on the Apache distribution. Apache
+and Apache-based software runs on over half of the Web sites on the
+Internet, according to numbers published by Netcraft Ltd.
+
+"This is a major endorsement of the open-source software development model,
+and of the quality of the code we have developed," said Brian Behlendorf,
+Apache Group member. "IBM will benefit by having a world-class Web serving
+solution to offer to its customers; the Apache Group, and by proxy all users
+of Apache or Apache-derived software, will benefit through contributions
+back to the project by IBM developers."
+
+Paraic Sweeney, vice president of IBM's WebSphere Application Server
+Marketing, said, "IBM is pleased to join the Apache Group, and in
+shipping the Apache HTTP Server with the WebSphere Application Server,
+IBM is providing customers with commercial grade support to a highly
+successful product across a broad range of customers."
+
+"Open-source development efforts have existed on the Internet for as long
+as it has been around, and much of the software that makes the Internet work
+was developed that way," said Ken Coar, another member of the Apache Group.
+"It's very encouraging that IBM, a major player in the computer industry,
+is recognizing the power and value of the open-source model. By supporting
+an open-source project rather than pursuing a proprietary and competitive
+effort, IBM is helping to assure that Internet software and standards will
+be the best they can be for everyone, and not just serve a single interest.
+This way, everyone benefits."
+
+"Apache's emphasis on developing software according to the latest Internet
+standards, and feeding that development experience back into the standards
+specification process of the Internet Engineering Taskforce (IETF), makes
+the Apache HTTP server an ideal platform for both non-profit and commercial
+products," said Roy Fielding, an Apache Group member and researcher at the
+University of California, Irvine. "IBM's involvement in the Apache Group
+gives them access to both a robust implementation of current Web technology
+and a premier forum for the development of the future Web architecture.
+Researchers call this `technology transfer,' but in the commercial world
+it is just good business sense."
+
+"I am excited to see IBM join the large group of individuals and companies
+that develop and support open-source software," said Dean Gaudet,
+Apache Group member. "I can't help but feel that we'll see more
+companies begin experimenting with the open development model.
+It is great to be a part of this."
+
+With this move, IBM becomes the latest in a series of commercial ventures
+to support the Apache HTTP server project, joining long-time current
+contributors C2Net Software (<http://www.c2.net/>), Covalent Technologies
+(<http://www.covalent.net/>), A. L. Digital (<http://www.aldigital.co.uk/>),
+and jaguNET Access Services (<http://www.jaguNET.com>).
+
+The Apache Group was founded in 1995 to address the need for a public,
+open-source, reference implementation of the HTTP protocol which is the
+foundation of the World Wide Web. The software is developed through a
+collaborative process, involving 18 "core" developers and hundreds of
+auxiliary contributors. More information on the Apache project can be
+found at <http://www.apache.org/>.
+
+The Netcraft Internet Web survey can be accessed online at
+<http://www.netcraft.com/Survey/>.
+
+ ###
Added: websites/staging/httpd/trunk/content/robots.txt
==============================================================================
--- websites/staging/httpd/trunk/content/robots.txt (added)
+++ websites/staging/httpd/trunk/content/robots.txt Sun May 6 14:18:02 2012
@@ -0,0 +1,3 @@
+User-agent: *
+Disallow: /websrc
+
Added: websites/staging/httpd/trunk/content/security/CVE-2011-3192.txt
==============================================================================
--- websites/staging/httpd/trunk/content/security/CVE-2011-3192.txt (added)
+++ websites/staging/httpd/trunk/content/security/CVE-2011-3192.txt Sun May 6 14:18:02 2012
@@ -0,0 +1,266 @@
+ Apache HTTPD Security ADVISORY
+ ==============================
+ UPDATE 3 - FINAL
+
+Title: Range header DoS vulnerability Apache HTTPD prior to 2.2.20.
+
+CVE: CVE-2011-3192
+Last Change: 20110831 1800Z
+Date: 20110824 1600Z
+Product: Apache HTTPD Web Server
+Versions: Apache 2.0 - all versions prior to 2.2.20 and prior to 2.0.65
+ Apache 1.3 is NOT vulnerable.
+
+Changes since last update
+=========================
+2.2.20 has a fix, 2.2.21 an improved one. Version 1.3 is not vulnerable.
+Further regex/rule improvements. Explained DoS. Added wiki link.
+Highlight fact that LimitRequestFieldSize workaround was insufficient.
+
+Changes since update 1
+=========================
+In addition to the 'Range' header - the 'Request-Range' header is equally
+affected. Furthermore various vendor updates, improved regexes (speed and
+accommodating a different and new attack pattern).
+
+Description:
+============
+
+A denial of service vulnerability has been found in the way the multiple
+overlapping ranges are handled by the Apache HTTPD server prior to version
+2.2.20:
+
+ http://seclists.org/fulldisclosure/2011/Aug/175
+
+An attack tool is circulating in the wild. Active use of this tool has
+been observed.
+
+The attack can be done remotely and with a modest number of requests can
+cause very significant memory and CPU usage on the server.
+
+The default Apache httpd installations version 2.0 prior to 2.0.65 and
+version 2.2 prior to 2.2.20 are vulnerable.
+
+Apache 2.2.20 does fix this issue; however with a number of side effects
+(see release notes). Version 2.2.21 corrects a protocol defect in 2.2.20,
+and also introduces the MaxRanges directive.
+
+Version 2.0.65 has not been released, but will include this fix, and is
+anticipated in September.
+
+Apache 1.3
+==========
+
+Apache 1.3 is NOT vulnerable. However as explained in the background section
+in more detail - this attack does cause a significant and possibly unexpected
+load. You are advised to review your configuration in that light.
+
+Type of Attack
+==============
+
+This vulnerability concerns a 'Denial of Service' attack. This means that
+a remote attacker, under the right circumstances, is able to slow your
+service or server down to a crawl or exhausting memory available to serve
+requests, leaving it unable to serve legitimate clients in a timely manner.
+
+There are no indications that this leads to a remote exploit; where a
+third party can compromise your security and gain foothold of the server
+itself. The result of this vulnerability is purely one of denying service
+by grinding your server down to a halt and refusing additional connections
+to the server.
+
+Background and the 2007 report
+==============================
+
+There are two aspects to this vulnerability. One is new, is Apache specific;
+and resolved with this server side fix. The other issue is fundamentally a
+protocol design issue dating back to 2007:
+
+ http://seclists.org/bugtraq/2007/Jan/83
+
+The contemporary interpretation of the HTTP protocol (currently) requires a
+server to return multiple (overlapping) ranges; in the order requested. This
+means that one can request a very large range (e.g. from byte 0- to the end)
+100's of times in a single request.
+
+Being able to do so is an issue for (probably all) webservers and currently
+subject of an IETF discussion to change the protocol:
+
+ http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311
+
+This advisory details a problem with how Apache httpd and its so called
+internal 'bucket brigades' deal with serving such "valid" request. The
+problem is that currently such requests internally explode into 100's of
+large fetches, all of which are kept in memory in an inefficient way. This
+is being addressed in two ways. By making things more efficient. And by
+weeding out or simplifying requests deemed too unwieldy.
+
+FIX
+====
+
+This vulnerability has been fixed in release 2.2.20 and further corrected
+in 2.2.21. You are advised to upgrade to version 2.2.21 (or newer) or the
+legacy 2.0.65 release, once this is published (anticipated in September).
+
+If you cannot upgrade, or cannot wait to upgrade - you can apply the
+appropriate source code patch and recompile a recent existing version;
+
+ http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/ (for 2.2.9 - .14)
+ http://www.apache.org/dist/httpd/patches/apply_to_2.2.19/ (for 2.2.15 - .19)
+ http://www.apache.org/dist/httpd/patches/apply_to_2.0.64/ (for 2.0.55 - .64)
+
+If you cannot upgrade and/or cannot apply above patches in a timely manner
+then you should consider to apply one or more of the mitigation suggested below.
+
+CAVEATS
+=======
+
+Note that this fix 1) will return a "200 OK" in cases where a 206 respond would
+be larger and 2) changes the behavior of chunked responses. This may affect
+certain clients. See the above background section and IETF reference for
+more detail and the various discussions around fixing this in the protocol.
+
+Furthermore a request with a byterange beyond the end of the file used to
+return 416 but now returns 200. This is a violation of a RFC2616 SHOULD.
+
+Mitigation:
+===========
+
+There are several immediate options to mitigate this issue until a full fix
+is available. Below examples handle both the 'Range' and the legacy
+'Request-Range' with various levels of care.
+
+Note that 'Request-Range' is a legacy name dating back to Netscape Navigator
+2-3 and MSIE 3. Depending on your user community - it is likely that you
+can use option '3' safely for this older 'Request-Range'.
+
+0) Consult http://httpd.apache.org/security/CVE-2011-3192.txt for the most
+ recent information (as this is the final advisory).
+
+1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
+ either ignore the Range: header or reject the request.
+
+ Option 1: (Apache 2.2, requires mod_setenvif and mod_headers)
+
+ # Drop the Range header when more than 5 ranges.
+ # CVE-2011-3192
+ SetEnvIf Range (?:,.*?){5,5} bad-range=1
+ RequestHeader unset Range env=bad-range
+
+ # We always drop Request-Range; as this is a legacy
+ # dating back to MSIE3 and Netscape 2 and 3.
+ #
+ RequestHeader unset Request-Range
+
+ # optional logging.
+ CustomLog logs/range-CVE-2011-3192.log common env=bad-range
+
+ Above may not work for all configurations. In particular situations
+ mod_cache and (language) modules may act before the 'unset'
+ is executed upon during the 'fixup' phase.
+
+ Option 2: (Pre 2.2, requires mod_rewrite and mod_headers)
+
+ # Reject request when more than 5 ranges in the Range: header.
+ # CVE-2011-3192
+ #
+ RewriteEngine on
+ RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
+ RewriteRule .* - [F]
+
+ # We always drop Request-Range; as this is a legacy
+ # dating back to MSIE3 and Netscape 2 and 3.
+ #
+ RequestHeader unset Request-Range
+
+ The number 5 is arbitrary. Several 10's should not be an issue and may be
+ required for sites which for example serve PDFs to very high end eReaders
+ or use things such complex http based video streaming.
+
+ WARNING These directives need to be specified in every configured
+ vhost, or inherited from server context as described in:
+ http://httpd.apache.org/docs/current/mod/mod_rewrite.html#vhosts
+
+2) Use mod_headers to completely dis-allow the use of Range headers:
+
+ RequestHeader unset Range
+
+ Note that this may break certain clients - such as those used for
+ e-Readers and progressive/http-streaming video.
+
+ Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific
+ legacy header - add:
+
+ RequestHeader unset Request-Range
+
+ Unlike the commonly used 'Range' header - dropping the 'Request-Range'
+ is not likely to affect many clients.
+
+4) Deploy a Range header count module as a temporary stopgap measure.
+
+ A stop-gap module which is runtime-configurable can be found at:
+
+ http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/
+
+ A simpler stop-gap module which requires compile-time configuration
+ is also available:
+
+ http://people.apache.org/~dirkx/mod_rangecnt.c
+
+Note
+====
+
+Earlier advisories suggested the use of LimitRequestFieldSize. This mitigation
+was not fully effective and can by bypassed by splitting the attack vector up
+across multiple headers. Therefore you should not rely on LimitRequestFieldSize
+alone.
+
+OS and Vendor specific information
+==================================
+
+Red Hat: Has additional RHEL specific information at:
+ https://bugzilla.redhat.com/show_bug.cgi?id=732928
+
+NetWare: Pre compiled binaries are available;
+ runtime-configurable:
+ http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/
+ compile-time configured for 5 ranges:
+ http://people.apache.org/~fuankg/httpd/mod_rangecnt/
+
+Win32: Pre compiled binaries are available;
+ runtime-configurable:
+ http://people.apache.org/~gsmith/httpd/binaries/modules/mod_rangecnt-improved/
+ compile-time configured for 5 ranges:
+ http://people.apache.org/~gsmith/httpd/binaries/modules/mod_rangecnt/
+
+mod_security: Has updated their rule set; see
+ http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html
+
+
+Actions:
+========
+
+Apache HTTPD users who are concerned about a DoS attack against their server
+should 1) upgrade to version 2.2.21 (or 2.0.65 when it becomes available),
+2) if not possible - apply the provided patches or 3) consider implementing
+any of the above mitigation immediately.
+
+When using a third party attack tool to verify vulnerability - note that most
+of the versions in the wild currently check for the presence of mod_deflate;
+and will (mis)report that your server is not vulnerable if this module is not
+present. This vulnerability is not dependent on presence or absence of
+that module.
+
+Planning:
+=========
+
+No further advisory email announcements are planned. However we will track
+minor refinements of this advisory at;
+
+ http://httpd.apache.org/security/CVE-2011-3192.txt
+
+Further recommendations and discussion on workarounds, or user-agent
+specific complications of these fixes will be tracked at;
+
+ http://wiki.apache.org/httpd/CVE-2011-3192
+
Added: websites/staging/httpd/trunk/content/security/impact_levels.xml
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/httpd/trunk/content/security/impact_levels.xml
------------------------------------------------------------------------------
svn:mime-type = application/xml