You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by br...@hyperreal.org on 1998/07/22 22:10:08 UTC
cvs commit: apache-site/dist Announcement.html Announcement.txt
brian 98/07/22 13:10:08
Modified: dist Announcement.html Announcement.txt
Log:
Get ready for wider announcement.
Revision Changes Path
1.8 +78 -27 apache-site/dist/Announcement.html
Index: Announcement.html
===================================================================
RCS file: /export/home/cvs/apache-site/dist/Announcement.html,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- Announcement.html 1998/06/06 02:52:24 1.7
+++ Announcement.html 1998/07/22 20:10:07 1.8
@@ -1,45 +1,96 @@
<HTML>
<HEAD>
-<TITLE>Apache 1.3.0 Released</TITLE>
+<TITLE>Apache 1.3.1 Released</TITLE>
</HEAD>
<BODY>
-<H1>Apache 1.3.0 Released</H1>
+<H1>Apache 1.3.1 Released</H1>
<P>
- The Apache Group is pleased to announce the release of the long
- awaited 1.3.0 version of the Apache HTTP server. A dozen months,
- hundreds of patches and over 100 code contributors helped make the
- release of 1.3.0 a reality.
+The Apache Group is pleased to announce the release of version 1.3.1
+of the Apache HTTP server.
<P>
- Apache 1.3.0 is the most stable version of Apache currently available;
- everyone running 1.2.X servers or earlier should upgrade to 1.3, as we
- will stop providing support for the 1.2.X tree, though we may make a
- release of 1.2.7. At present, the Win95/NT port of Apache is not
- as stable as the UNIX version. Further releases of the 1.3.x tree
- will bring the Win95/NT port closer to parity.
+The changes in this release consist of UNIX portability fixes, Win32
+security issues, and assorted other minor features or fixes.
<P>
- To grab the latest Apache distribution, check out
- <A HREF="http://www.apache.org/dist/">http://www.apache.org/dist/</A>
- and the huge list of available "International Mirror Sites" at
- <A HREF="http://www.apache.org/mirrors/">http://www.apache.org/mirrors/</A>
+<B>WE URGE ALL USERS RUNNING ANY PREVIOUS VERSION OF APACHE ON WIN32
+TO UPGRADE IMMEDIATELY.</B>
-<P>
- For an overview of new features in 1.3 please read see
+<P>
+Users on other platforms should review the CHANGES file and decide
+on their upgrade plans; the security issues apply only to Apache
+on Win32. We consider Apache 1.3.1 to be the most stable version
+of Apache available.
+
+<P>
+Apache 1.3.1 is available for download from
- <A HREF="http://www.apache.org/docs/new_features_1_3.html">
- http://www.apache.org/docs/new_features_1_3.html</A>
+<UL>
+ <A HREF="http://www.apache.org/dist/">http://www.apache.org/dist/</A>
+</UL>
<P>
- In general, Apache 1.3.0 offers several substantial improvements
- over previous versions, including better performance, reliability
- and a wider-range of supported platforms, including Windows95 and
- NT.
+Please see the CHANGES file in the same directory for a full list of
+changes. The distribution is also available via any of the mirrors
+listed at
+
+<UL>
+ <A HREF="http://www.apache.org/mirrors/">http://www.apache.org/mirrors/</A>
+</UL>
+
+<P>
+For an overview of new features in 1.3 please see
+
+<UL>
+ <A HREF="http://www.apache.org/docs/new_features_1_3.html">http://www.apache.org/docs/new_features_1_3.html</A>
+</UL>
<P>
- Apache is the most popular web-server in the known universe; over
- half of the servers on the Internet are running Apache or one of its
- variants.
+In general, Apache 1.3 offers several substantial improvements
+over version 1.2, including better performance, reliability
+and a wider-range of supported platforms, including Windows 95 and
+NT (which both fall under the "Win32" label).
+<P>
+Apache is the most popular web-server in the known universe; over
+half of the servers on the Internet are running Apache or one of its
+variants.
+
+<P>
+<B>IMPORTANT NOTE FOR WIN32 USERS:</B> Over the years, many users have
+come to trust Apache as a secure and stable server. It must
+be realized that the current Win32 code has not yet reached these
+levels and should still be considered to be of beta quality. Any
+Win32 stability or security problems do not impact, in any way,
+Apache on other platforms. With the continued donation of time
+and resources by individuals and companies, we hope that the Win32
+version of Apache will grow stronger through the 1.3.x release
+cycle.
+
+<P>Versions of Apache on Win32 prior to version 1.3.1 are vulnerable
+to a number of security holes common to several Win32 servers.
+The problems that impact Apache include:
+
+<UL>
+ <LI> trailing "."s are ignored by the file system. This allowed
+ certain types of access restrictions to be bypassed.
+ <LI>directory names of three or more dots (eg. "...") are
+ considered to be valid similar to "..". This allowed people
+ to gain access to files outside of the configured document
+ trees.
+</UL>
+
+<P>
+There have been at least four other similar instances of the same
+basic problem: on Win32, there is more than one name for a file.
+Some of these names are poorly documented or undocumented, and even
+Microsoft's own IIS has been vulnerable to many of these problems.
+This behavior of the Win32 file system and API makes it very difficult
+to insure future security; problems of this type have been known
+about for years, however each specific instance has been discovered
+individually. It is unknown if there are other, yet unpublicized,
+filename variants. As a result, we recommend that you use extreme
+caution when dealing with access restrictions on all Win32 web
+servers.
1.4 +70 -30 apache-site/dist/Announcement.txt
Index: Announcement.txt
===================================================================
RCS file: /export/home/cvs/apache-site/dist/Announcement.txt,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- Announcement.txt 1998/06/06 02:52:24 1.3
+++ Announcement.txt 1998/07/22 20:10:07 1.4
@@ -1,32 +1,72 @@
+Apache 1.3.1 Released
+=====================
- Apache 1.3.0 Released
- =====================
+The Apache Group is pleased to announce the release of version 1.3.1
+of the Apache HTTP server.
- The Apache Group is pleased to announce the release of the long
- awaited 1.3.0 version of the Apache HTTP server. A dozen months,
- hundreds of patches and over 100 code contributors helped make the
- release of 1.3.0 a reality.
-
- Apache 1.3.0 is the most stable version of Apache currently available;
- everyone running 1.2.X servers or earlier should upgrade to 1.3, as we
- will stop providing support for the 1.2.X tree, though we may make a
- release of 1.2.7. At present, the Win95/NT port of Apache is not
- as stable as the UNIX version. Further releases of the 1.3.x tree
- will bring the Win95/NT port closer to parity.
-
- To grab the latest Apache distribution, check out
- http://www.apache.org/dist/
- and the huge list of available "International Mirror Sites" at
- http://www.apache.org/mirrors/
-
- For an overview of new features in 1.3 please read see
- http://www.apache.org/docs/new_features_1_3.html
-
- In general, Apache 1.3.0 offers several substantial improvements
- over previous versions, including better performance, reliability
- and a wider-range of supported platforms, including Windows95 and
- NT.
-
- Apache is the most popular web-server in the known universe; over
- half of the servers on the Internet are running Apache or one of its
- variants.
+The changes in this release consist of UNIX portability fixes, Win32
+security issues, and assorted other minor features or fixes.
+
+WE URGE ALL USERS RUNNING ANY PREVIOUS VERSION OF APACHE ON WIN32
+TO UPGRADE IMMEDIATELY.
+
+Users on other platforms should review the CHANGES file and decide
+on their upgrade plans; the security issues apply only to Apache
+on Win32. We consider Apache 1.3.1 to be the most stable version
+of Apache available.
+
+Apache 1.3.1 is available for download from
+
+ http://www.apache.org/dist/
+
+Please see the CHANGES file in the same directory for a full list of
+changes. The distribution is also available via any of the mirrors
+listed at
+
+ http://www.apache.org/mirrors/
+
+For an overview of new features in 1.3 please see
+
+ http://www.apache.org/docs/new_features_1_3.html
+
+In general, Apache 1.3 offers several substantial improvements
+over version 1.2, including better performance, reliability
+and a wider-range of supported platforms, including Windows 95 and
+NT (which both fall under the "Win32" label).
+
+Apache is the most popular web-server in the known universe; over
+half of the servers on the Internet are running Apache or one of its
+variants.
+
+IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have
+come to trust Apache as a secure and stable server. It must
+be realized that the current Win32 code has not yet reached these
+levels and should still be considered to be of beta quality. Any
+Win32 stability or security problems do not impact, in any way,
+Apache on other platforms. With the continued donation of time
+and resources by individuals and companies, we hope that the Win32
+version of Apache will grow stronger through the 1.3.x release
+cycle.
+
+Versions of Apache on Win32 prior to version 1.3.1 are vulnerable
+to a number of security holes common to several Win32 servers.
+The problems that impact Apache include:
+
+ - trailing "."s are ignored by the file system. This allowed
+ certain types of access restrictions to be bypassed.
+ - directory names of three or more dots (eg. "...") are
+ considered to be valid similar to "..". This allowed people
+ to gain access to files outside of the configured document
+ trees.
+
+There have been at least four other similar instances of the same
+basic problem: on Win32, there is more than one name for a file.
+Some of these names are poorly documented or undocumented, and even
+Microsoft's own IIS has been vulnerable to many of these problems.
+This behavior of the Win32 file system and API makes it very difficult
+to insure future security; problems of this type have been known
+about for years, however each specific instance has been discovered
+individually. It is unknown if there are other, yet unpublicized,
+filename variants. As a result, we recommend that you use extreme
+caution when dealing with access restrictions on all Win32 web
+servers.