You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/10/10 21:34:23 UTC
svn commit: r312720 - /httpd/httpd/dist/Announcement2.0.txt
Author: wrowe
Date: Mon Oct 10 12:34:21 2005
New Revision: 312720
URL: http://svn.apache.org/viewcvs?rev=312720&view=rev
Log:
Presented for comments and changes; .html will be updated
once this document is complete.
Modified:
httpd/httpd/dist/Announcement2.0.txt
Modified: httpd/httpd/dist/Announcement2.0.txt
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement2.0.txt?rev=312720&r1=312719&r2=312720&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.0.txt (original)
+++ httpd/httpd/dist/Announcement2.0.txt Mon Oct 10 12:34:21 2005
@@ -1,28 +1,80 @@
- Apache HTTP Server 2.0.54 Released
+ Apache HTTP Server 2.0.55 Released
The Apache Software Foundation and The Apache HTTP Server Project are
- pleased to announce the release of version 2.0.54 of the Apache HTTP
+ pleased to announce the release of version 2.0.55 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
- in 2.0.54 as compared to 2.0.54. The Announcement is also available in
+ in 2.0.55 as compared to 2.0.55. The Announcement is also available in
German and Japanese from:
- http://www.apache.org/dist/httpd/Announcement2.txt.de
- http://www.apache.org/dist/httpd/Announcement2.txt.ja
+ http://www.apache.org/dist/httpd/Announcement2.0.txt.de
+ http://www.apache.org/dist/httpd/Announcement2.0.txt.ja
- This version of Apache is principally a bug fix release.
+ This version of Apache is principally a security release. The
+ following potential security flaws are addressed, the first three
+ of which address several classes of HTTP Request and Response
+ Splitting/Spoofing attacks;
+
+ CAN-2005-2088 (cve.mitre.org)
+
+ core: If a request contains both Transfer-Encoding and Content-Length
+ headers, remove the Content-Length.
+
+ proxy_http: Correctly handle the Transfer-Encoding and Content-Length
+ request headers. Discard the request Content-Length whenever chunked
+ T-E is used, always passing one of either C-L or T-E chunked whenever
+ the request includes a request body.
+
+ Unassigned
+
+ proxy_http: If a response contains both Transfer-Encoding and a
+ Content-Length, remove the Content-Length and don't reuse the
+ connection.
+
+ CAN-2005-2700 (cve.mitre.org)
+
+ mod_ssl: Fix a security issue where "SSLVerifyClient" was not
+ enforced in per-location context if "SSLVerifyClient optional"
+ was configured in the vhost configuration.
+
+ CAN-2005-2491 (cve.mitre.org)
+
+ pcre: Fix integer overflows in PCRE in quantifier parsing which
+ could be triggered by a local user through use of a carefully
+ crafted regex in an .htaccess file.
+
+ CAN-2005-2728 (cve.mitre.org)
+
+ Fix cases where the byterange filter would buffer responses
+ into memory.
+
+ CAN-2005-1268 (cve.mitre.org)
+
+ mod_ssl: Fix off-by-one overflow whilst printing CRL information
+ at "LogLevel debug" which could be triggered if configured
+ to use a "malicious" CRL.
+
+ The Apache HTTP Project thanks all of the reporters of these
+ issues and vulnerabilities for the responsible reporting and
+ thorough analysis of these vulnerabilities.
+
+ This release further addresses a number of cross-platform bugs,
+ as well as specific issues on OS/X 10.4, Win32, AIX as well as
+ all EBCDIC platforms, and adds compatibility with OpenSSL 0.9.8.
This release is compatible with modules compiled for 2.0.42 and
- later versions. We consider this release to be the best version of
- Apache available and encourage users of all prior versions to
+ later versions. We consider this release to be the best version
+ of Apache available and encourage users of all prior versions to
upgrade.
- Apache HTTP Server 2.0.54 is available for download from
+ Apache HTTP Server 2.0.55 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
- a full list of changes.
+ a full list of changes. A condensed list, CHANGES_2.0.55 provides
+ the complete list of changes since 2.0.54, including changes to
+ the APR suite of libraries.
Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
@@ -31,9 +83,9 @@
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
- in mind the following:
- If you intend to use Apache with one of the threaded MPMs, you must
- ensure that the modules (and the libraries they depend on) that you
- will be using are thread-safe. Please contact the vendors of these
- modules to obtain this information.
+ in mind the following: If you intend to use Apache with one of the
+ threaded MPMs, you must ensure that the modules (and the libraries
+ they depend on) that you will be using are thread-safe. Please
+ refer to the documentation of these modules and libraries to obtain
+ this information.