You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by st...@apache.org on 2004/03/19 22:51:21 UTC
cvs commit: httpd-site/xdocs index.xml
striker 2004/03/19 13:51:20
Modified: docs index.html
xdocs index.xml
Log:
Another place to mention the release.
Revision Changes Path
1.73 +14 -8 httpd-site/docs/index.html
Index: index.html
===================================================================
RCS file: /home/cvs/httpd-site/docs/index.html,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -r1.72 -r1.73
--- index.html 1 Jan 2004 13:47:20 -0000 1.72
+++ index.html 19 Mar 2004 21:51:20 -0000 1.73
@@ -127,7 +127,7 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="2.0.48"><strong>Apache 2.0.48 Released</strong></a>
+ <a name="2.0.49"><strong>Apache 2.0.49 Released</strong></a>
</font>
</td></tr>
<tr><td>
@@ -137,13 +137,19 @@
<a href="http://www.apache.org/dist/httpd/Announcement2.html.de">here</a>)
</p>
<p>This version of Apache is principally a bug fix release. Of particular
- note is that 2.0.48 addresses two security vulnerabilities:</p>
-<p>mod_cgid mishandling of CGI redirect paths could result in CGI output
- going to the wrong client when a threaded MPM is used.<br />
- <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789">CAN-2003-0789</a>]</code></p>
-<p>A buffer overflow could occur in mod_alias and mod_rewrite when
- a regular expression with more than 9 captures is configured.<br />
- <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542">CAN-2003-0542</a>]</code></p>
+ note is that 2.0.49 addresses three security vulnerabilities:</p>
+<p>When using multiple listening sockets, a denial of service attack
+ is possible on some platforms due to a race condition in the
+ handling of short-lived connections. This issue is known to affect
+ some versions of AIX, Solaris, and Tru64; it is known to not affect
+ FreeBSD or Linux.<br />
+ <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174">CAN-2004-0174</a>]</code></p>
+<p>Arbitrary client-supplied strings can be written to the error log
+ which can allow exploits of certain terminal emulators.<br />
+ <code>[<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020</a>]</code></p>
+<p>A remotely triggered memory leak in mod_ssl can allow a denial
+ of service attack due to excessive memory consumption.<br />
+ <code>[<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113">CAN-2004-0113</a>]</code></p>
<p>For further details, see the <a href="http://www.apache.org/dist/httpd/Announcement2.html">announcement</a>.</p>
<p align="center">
<a href="download.cgi">Download</a> |
1.53 +17 -10 httpd-site/xdocs/index.xml
Index: index.xml
===================================================================
RCS file: /home/cvs/httpd-site/xdocs/index.xml,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -r1.52 -r1.53
--- index.xml 24 Nov 2003 06:26:21 -0000 1.52
+++ index.xml 19 Mar 2004 21:51:20 -0000 1.53
@@ -69,8 +69,8 @@
</p>
</section>
-<section id="2.0.48">
-<title>Apache 2.0.48 Released</title>
+<section id="2.0.49">
+<title>Apache 2.0.49 Released</title>
<p>The Apache HTTP Server Project is proud to <a
href="http://www.apache.org/dist/httpd/Announcement2.html">announce</a> the
@@ -79,15 +79,22 @@
</p>
<p>This version of Apache is principally a bug fix release. Of particular
- note is that 2.0.48 addresses two security vulnerabilities:</p>
+ note is that 2.0.49 addresses three security vulnerabilities:</p>
-<p>mod_cgid mishandling of CGI redirect paths could result in CGI output
- going to the wrong client when a threaded MPM is used.<br />
- <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789">CAN-2003-0789</a>]</code></p>
-
-<p>A buffer overflow could occur in mod_alias and mod_rewrite when
- a regular expression with more than 9 captures is configured.<br />
- <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542">CAN-2003-0542</a>]</code></p>
+<p>When using multiple listening sockets, a denial of service attack
+ is possible on some platforms due to a race condition in the
+ handling of short-lived connections. This issue is known to affect
+ some versions of AIX, Solaris, and Tru64; it is known to not affect
+ FreeBSD or Linux.<br/>
+ <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174">CAN-2004-0174</a>]</code></p>
+
+<p>Arbitrary client-supplied strings can be written to the error log
+ which can allow exploits of certain terminal emulators.<br/>
+ <code>[<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020</a>]</code></p>
+
+<p>A remotely triggered memory leak in mod_ssl can allow a denial
+ of service attack due to excessive memory consumption.<br/>
+ <code>[<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113">CAN-2004-0113</a>]</code></p>
<p>For further details, see the <a
href="http://www.apache.org/dist/httpd/Announcement2.html">announcement</a>.</p>