httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From br...@hyperreal.org
Subject cvs commit: apache-site/dist Announcement.html Announcement.txt
Date Wed, 22 Jul 1998 20:10:08 GMT
brian       98/07/22 13:10:08

  Modified:    dist     Announcement.html Announcement.txt
  Log:
  Get ready for wider announcement.
  
  Revision  Changes    Path
  1.8       +78 -27    apache-site/dist/Announcement.html
  
  Index: Announcement.html
  ===================================================================
  RCS file: /export/home/cvs/apache-site/dist/Announcement.html,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -r1.7 -r1.8
  --- Announcement.html	1998/06/06 02:52:24	1.7
  +++ Announcement.html	1998/07/22 20:10:07	1.8
  @@ -1,45 +1,96 @@
   <HTML>
   <HEAD>
  -<TITLE>Apache 1.3.0 Released</TITLE>
  +<TITLE>Apache 1.3.1 Released</TITLE>
   </HEAD>
   <BODY>
   
  -<H1>Apache 1.3.0 Released</H1>
  +<H1>Apache 1.3.1 Released</H1>
   
   <P>
  - The Apache Group is pleased to announce the release of the long
  - awaited 1.3.0 version of the Apache HTTP server.  A dozen months,
  - hundreds of patches and over 100 code contributors helped make the
  - release of 1.3.0 a reality.
  +The Apache Group is pleased to announce the release of version 1.3.1 
  +of the Apache HTTP server.  
   
   <P>
  - Apache 1.3.0 is the most stable version of Apache currently available;
  - everyone running 1.2.X servers or earlier should upgrade to 1.3, as we
  - will stop providing support for the 1.2.X tree, though we may make a
  - release of 1.2.7. At present, the Win95/NT port of Apache is not
  - as stable as the UNIX version. Further releases of the 1.3.x tree
  - will bring the Win95/NT port closer to parity.
  +The changes in this release consist of UNIX portability fixes, Win32
  +security issues, and assorted other minor features or fixes.  
   
   <P>
  - To grab the latest Apache distribution, check out
  -     <A HREF="http://www.apache.org/dist/">http://www.apache.org/dist/</A>
  - and the huge list of available "International Mirror Sites" at
  -     <A HREF="http://www.apache.org/mirrors/">http://www.apache.org/mirrors/</A>
  +<B>WE URGE ALL USERS RUNNING ANY PREVIOUS VERSION OF APACHE ON WIN32
  +TO UPGRADE IMMEDIATELY.</B>
   
  -<P> 
  - For an overview of new features in 1.3 please read see
  +<P>
  +Users on other platforms should review the CHANGES file and decide
  +on their upgrade plans; the security issues apply only to Apache
  +on Win32.  We consider Apache 1.3.1 to be the most stable version
  +of Apache available.
  +
  +<P>
  +Apache 1.3.1 is available for download from
   
  -     <A HREF="http://www.apache.org/docs/new_features_1_3.html">
  -     http://www.apache.org/docs/new_features_1_3.html</A>
  +<UL>
  +	<A HREF="http://www.apache.org/dist/">http://www.apache.org/dist/</A>
  +</UL>
   
   <P>
  - In general, Apache 1.3.0 offers several substantial improvements
  - over previous versions, including better performance, reliability
  - and a wider-range of supported platforms, including Windows95 and
  - NT.
  +Please see the CHANGES file in the same directory for a full list of 
  +changes.  The distribution is also available via any of the mirrors
  +listed at
  +
  +<UL>
  +	<A HREF="http://www.apache.org/mirrors/">http://www.apache.org/mirrors/</A>
  +</UL>
  +
  +<P>
  +For an overview of new features in 1.3 please see
  +
  +<UL>
  +	<A HREF="http://www.apache.org/docs/new_features_1_3.html">http://www.apache.org/docs/new_features_1_3.html</A>
  +</UL>
   
   <P>
  - Apache is the most popular web-server in the known universe; over
  - half of the servers on the Internet are running Apache or one of its
  - variants.
  +In general, Apache 1.3 offers several substantial improvements
  +over version 1.2, including better performance, reliability
  +and a wider-range of supported platforms, including Windows 95 and
  +NT (which both fall under the "Win32" label).
   
  +<P>
  +Apache is the most popular web-server in the known universe; over
  +half of the servers on the Internet are running Apache or one of its
  +variants.
  +
  +<P>
  +<B>IMPORTANT NOTE FOR WIN32 USERS:</B> Over the years, many users have
  +come to trust Apache as a secure and stable server.  It must
  +be realized that the current Win32 code has not yet reached these
  +levels and should still be considered to be of beta quality.  Any
  +Win32 stability or security problems do not impact, in any way,
  +Apache on other platforms.  With the continued donation of time
  +and resources by individuals and companies, we hope that the Win32
  +version of Apache will grow stronger through the 1.3.x release
  +cycle.
  +
  +<P>Versions of Apache on Win32 prior to version 1.3.1 are vulnerable
  +to a number of security holes common to several Win32 servers.
  +The problems that impact Apache include:
  +
  +<UL>
  +	<LI> trailing "."s are ignored by the file system.  This allowed
  +	  certain types of access restrictions to be bypassed.
  +	<LI>directory names of three or more dots (eg. "...") are
  +    	  considered to be valid similar to "..".  This allowed people
  +	  to gain access to files outside of the configured document
  +	  trees.
  +</UL>
  +
  +<P>
  +There have been at least four other similar instances of the same
  +basic problem: on Win32, there is more than one name for a file.
  +Some of these names are poorly documented or undocumented, and even
  +Microsoft's own IIS has been vulnerable to many of these problems.
  +This behavior of the Win32 file system and API makes it very difficult
  +to insure future security; problems of this type have been known
  +about for years, however each specific instance has been discovered
  +individually.  It is unknown if there are other, yet unpublicized,
  +filename variants.  As a result, we recommend that you use extreme
  +caution when dealing with access restrictions on all Win32 web
  +servers.
  
  
  
  1.4       +70 -30    apache-site/dist/Announcement.txt
  
  Index: Announcement.txt
  ===================================================================
  RCS file: /export/home/cvs/apache-site/dist/Announcement.txt,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- Announcement.txt	1998/06/06 02:52:24	1.3
  +++ Announcement.txt	1998/07/22 20:10:07	1.4
  @@ -1,32 +1,72 @@
  +Apache 1.3.1 Released
  +=====================
   
  - Apache 1.3.0 Released
  - =====================
  +The Apache Group is pleased to announce the release of version 1.3.1 
  +of the Apache HTTP server.  
   
  - The Apache Group is pleased to announce the release of the long
  - awaited 1.3.0 version of the Apache HTTP server.  A dozen months,
  - hundreds of patches and over 100 code contributors helped make the
  - release of 1.3.0 a reality.
  -
  - Apache 1.3.0 is the most stable version of Apache currently available;
  - everyone running 1.2.X servers or earlier should upgrade to 1.3, as we
  - will stop providing support for the 1.2.X tree, though we may make a
  - release of 1.2.7. At present, the Win95/NT port of Apache is not
  - as stable as the UNIX version. Further releases of the 1.3.x tree
  - will bring the Win95/NT port closer to parity.
  -
  - To grab the latest Apache distribution, check out
  -     http://www.apache.org/dist/
  - and the huge list of available "International Mirror Sites" at
  -     http://www.apache.org/mirrors/
  -
  - For an overview of new features in 1.3 please read see
  -     http://www.apache.org/docs/new_features_1_3.html
  -
  - In general, Apache 1.3.0 offers several substantial improvements
  - over previous versions, including better performance, reliability
  - and a wider-range of supported platforms, including Windows95 and
  - NT.
  -
  - Apache is the most popular web-server in the known universe; over
  - half of the servers on the Internet are running Apache or one of its
  - variants.
  +The changes in this release consist of UNIX portability fixes, Win32
  +security issues, and assorted other minor features or fixes.  
  +
  +WE URGE ALL USERS RUNNING ANY PREVIOUS VERSION OF APACHE ON WIN32
  +TO UPGRADE IMMEDIATELY.
  +
  +Users on other platforms should review the CHANGES file and decide
  +on their upgrade plans; the security issues apply only to Apache
  +on Win32.  We consider Apache 1.3.1 to be the most stable version
  +of Apache available.
  +
  +Apache 1.3.1 is available for download from
  +
  +	http://www.apache.org/dist/
  +
  +Please see the CHANGES file in the same directory for a full list of 
  +changes.  The distribution is also available via any of the mirrors
  +listed at
  +
  +	http://www.apache.org/mirrors/
  +
  +For an overview of new features in 1.3 please see
  +
  +	http://www.apache.org/docs/new_features_1_3.html
  +
  +In general, Apache 1.3 offers several substantial improvements
  +over version 1.2, including better performance, reliability
  +and a wider-range of supported platforms, including Windows 95 and
  +NT (which both fall under the "Win32" label).
  +
  +Apache is the most popular web-server in the known universe; over
  +half of the servers on the Internet are running Apache or one of its
  +variants.
  +
  +IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have
  +come to trust Apache as a secure and stable server.  It must
  +be realized that the current Win32 code has not yet reached these
  +levels and should still be considered to be of beta quality.  Any
  +Win32 stability or security problems do not impact, in any way,
  +Apache on other platforms.  With the continued donation of time
  +and resources by individuals and companies, we hope that the Win32
  +version of Apache will grow stronger through the 1.3.x release
  +cycle.
  +
  +Versions of Apache on Win32 prior to version 1.3.1 are vulnerable
  +to a number of security holes common to several Win32 servers.
  +The problems that impact Apache include:
  +
  +	- trailing "."s are ignored by the file system.  This allowed
  +	  certain types of access restrictions to be bypassed.
  +	- directory names of three or more dots (eg. "...") are
  +    	  considered to be valid similar to "..".  This allowed people
  +	  to gain access to files outside of the configured document
  +	  trees.
  +
  +There have been at least four other similar instances of the same
  +basic problem: on Win32, there is more than one name for a file.
  +Some of these names are poorly documented or undocumented, and even
  +Microsoft's own IIS has been vulnerable to many of these problems.
  +This behavior of the Win32 file system and API makes it very difficult
  +to insure future security; problems of this type have been known
  +about for years, however each specific instance has been discovered
  +individually.  It is unknown if there are other, yet unpublicized,
  +filename variants.  As a result, we recommend that you use extreme
  +caution when dealing with access restrictions on all Win32 web
  +servers.
  
  
  

Mime
View raw message