You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/10/10 21:34:23 UTC

svn commit: r312720 - /httpd/httpd/dist/Announcement2.0.txt

Author: wrowe
Date: Mon Oct 10 12:34:21 2005
New Revision: 312720

URL: http://svn.apache.org/viewcvs?rev=312720&view=rev
Log:

  Presented for comments and changes; .html will be updated
  once this document is complete.

Modified:
    httpd/httpd/dist/Announcement2.0.txt

Modified: httpd/httpd/dist/Announcement2.0.txt
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement2.0.txt?rev=312720&r1=312719&r2=312720&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.0.txt (original)
+++ httpd/httpd/dist/Announcement2.0.txt Mon Oct 10 12:34:21 2005
@@ -1,28 +1,80 @@
 
-                   Apache HTTP Server 2.0.54 Released
+                   Apache HTTP Server 2.0.55 Released
 
    The Apache Software Foundation and The Apache HTTP Server Project are
-   pleased to announce the release of version 2.0.54 of the Apache HTTP
+   pleased to announce the release of version 2.0.55 of the Apache HTTP
    Server ("Apache").  This Announcement notes the significant changes
-   in 2.0.54 as compared to 2.0.54. The Announcement is also available in
+   in 2.0.55 as compared to 2.0.55. The Announcement is also available in
    German and Japanese from:
 
-        http://www.apache.org/dist/httpd/Announcement2.txt.de
-        http://www.apache.org/dist/httpd/Announcement2.txt.ja
+        http://www.apache.org/dist/httpd/Announcement2.0.txt.de
+        http://www.apache.org/dist/httpd/Announcement2.0.txt.ja
 
-   This version of Apache is principally a bug fix release.
+   This version of Apache is principally a security release.  The
+   following potential security flaws are addressed, the first three 
+   of which address several classes of HTTP Request and Response 
+   Splitting/Spoofing attacks;
+
+   CAN-2005-2088 (cve.mitre.org)
+
+     core: If a request contains both Transfer-Encoding and Content-Length
+     headers, remove the Content-Length.
+
+     proxy_http: Correctly handle the Transfer-Encoding and Content-Length
+     request headers.  Discard the request Content-Length whenever chunked
+     T-E is used, always passing one of either C-L or T-E chunked whenever 
+     the request includes a request body.
+
+   Unassigned
+
+     proxy_http: If a response contains both Transfer-Encoding and a 
+     Content-Length, remove the Content-Length and don't reuse the
+     connection.
+
+   CAN-2005-2700 (cve.mitre.org)
+
+     mod_ssl: Fix a security issue where "SSLVerifyClient" was not
+     enforced in per-location context if "SSLVerifyClient optional"
+     was configured in the vhost configuration.
+
+   CAN-2005-2491 (cve.mitre.org)
+ 
+     pcre: Fix integer overflows in PCRE in quantifier parsing which 
+     could be triggered by a local user through use of a carefully
+     crafted regex in an .htaccess file.
+
+   CAN-2005-2728 (cve.mitre.org)
+
+     Fix cases where the byterange filter would buffer responses
+     into memory.
+
+   CAN-2005-1268 (cve.mitre.org)
+
+     mod_ssl: Fix off-by-one overflow whilst printing CRL information
+     at "LogLevel debug" which could be triggered if configured 
+     to use a "malicious" CRL.
+
+   The Apache HTTP Project thanks all of the reporters of these
+   issues and vulnerabilities for the responsible reporting and
+   thorough analysis of these vulnerabilities.
+
+   This release further addresses a number of cross-platform bugs,
+   as well as specific issues on OS/X 10.4, Win32, AIX as well as
+   all EBCDIC platforms, and adds compatibility with OpenSSL 0.9.8.
 
    This release is compatible with modules compiled for 2.0.42 and
-   later versions.  We consider this release to be the best version of
-   Apache available and encourage users of all prior versions to
+   later versions.  We consider this release to be the best version
+   of Apache available and encourage users of all prior versions to
    upgrade.
 
-   Apache HTTP Server 2.0.54 is available for download from
+   Apache HTTP Server 2.0.55 is available for download from
 
      http://httpd.apache.org/download.cgi
 
    Please see the CHANGES_2.0 file, linked from the above page, for
-   a full list of changes.
+   a full list of changes.  A condensed list, CHANGES_2.0.55 provides
+   the complete list of changes since 2.0.54, including changes to 
+   the APR suite of libraries.
 
    Apache 2.0 offers numerous enhancements, improvements, and performance
    boosts over the 1.3 codebase.  For an overview of new features introduced
@@ -31,9 +83,9 @@
      http://httpd.apache.org/docs-2.0/new_features_2_0.html
 
    When upgrading or installing this version of Apache, please keep
-   in mind the following:
-   If you intend to use Apache with one of the threaded MPMs, you must
-   ensure that the modules (and the libraries they depend on) that you
-   will be using are thread-safe.  Please contact the vendors of these
-   modules to obtain this information.
+   in mind the following:  If you intend to use Apache with one of the 
+   threaded MPMs, you must ensure that the modules (and the libraries 
+   they depend on) that you will be using are thread-safe.  Please 
+   refer to the documentation of these modules and libraries to obtain 
+   this information.