Return-Path: 
 <cvs-return-10644-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 72327 invoked by uid 500); 21 Mar 2002 22:15:42 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
list-post: <mailto:cvs@httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 72314 invoked by uid 500); 21 Mar 2002 22:15:41 -0000
Delivered-To: apmail-httpd-dist-cvs@apache.org
Date: 21 Mar 2002 22:15:41 -0000
Message-ID: <20020321221541.93914.qmail@icarus.apache.org>
From: wrowe@apache.org
To: httpd-dist-cvs@apache.org
Subject: cvs commit: httpd-dist/binaries/win32 README.html HEADER.html
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

wrowe       02/03/21 14:15:40

  Modified:    binaries/win32 README.html HEADER.html
  Log:
    Mr. Stoddard's observation about the XP security 'hole' in corruption,
    more details about what-and-why for .24.
  
  Revision  Changes    Path
  1.15      +14 -8     httpd-dist/binaries/win32/README.html
  
  Index: README.html
  ===================================================================
  RCS file: /home/cvs/httpd-dist/binaries/win32/README.html,v
  retrieving revision 1.14
  retrieving revision 1.15
  diff -u -r1.14 -r1.15
  --- README.html	21 Mar 2002 06:42:20 -0000	1.14
  +++ README.html	21 Mar 2002 22:15:40 -0000	1.15
  @@ -25,7 +25,10 @@
      may result in corrupted output.  You may not see this in MSIE, which tends
      to throw any error in the 'Cannot find server or DNS Error' category, rather
      than display the corruption.  You will only see this corruption over slower
  -   links, testing the local loopback generally reveals no corruption.</p>
  +   links, testing the local loopback generally reveals no corruption.  This is
  +   a potential security risk, since the random, corrupt data served may come
  +   from anywhere, such as the cache of buffered file pages, and these may
  +   include sensitive contents.</p>
   
   <p>If you receive such errors on Windows XP using SSI scripting or PHP scripts,
      but not static pages, you are probably a victim of this bug.  It has been 
  @@ -34,7 +37,7 @@
      issue, you should be able to obtain this hotfix citing this [yet unpublished]
      Knowledge Base article.</p>
   
  -<h2><a name="stable">The current stable release is Apache 1.3.23</a></h2>
  +<h2><a name="stable">The current stable release is Apache 1.3.24</a></h2>
   
   <p>Since Apache version 1.3.22, a full setup package (.exe) containing the
      Win9x/WinNT Microsoft System Installer installer is available.  If the
  @@ -60,9 +63,10 @@
      been a number of essential bug and security fixes to the evolving
      support for Win32 under Apache.  Most critically, there were potential
      denial of service attacks affecting Win32 that were closed with
  -   the release of 1.3.22.  1.3.23 fixes further problems.</p>
  +   the release of 1.3.22, and 1.3.24 closes a serious vulnerability 
  +   in CGI invocation of .bat and .cmd scripts.</p>
   
  -<h2><a name="beta"><div style="color:red;">The current BETA Release is Apache 2.0.32</div></a></h2>
  +<h2><a name="beta"><div style="color:red;">The previous BETA Release was Apache 2.0.32</div></a></h2>
   
   <p>Apache 2.0.32 was released as a BETA.  That means it is NOT yet
      production-stable code.  After one week, we pulled the .msi installer
  @@ -75,10 +79,12 @@
   <p>The 2.0.32 port also contained a significant bug in parsing or transmission
      of larger files in some cases.  This is an extremely obvious bug when it's
      triggered, the side effect is usually a GP fault.  The server also could not
  -   start on any NT installation running Terminal Services.  Both bugs are fixed
  -   for the next, 2.0.33 release.  Knowing all that, if you still insist on trying
  -   the beta while waiting for .32, you can find it in the .old URI hiding below 
  -   this location, with the other Win32 packages we do not recommend.</p>
  +   start on any NT installation running Terminal Services.  Finally, this release
  +   included the .bat/.cmd parsing vulnerability corrected in 1.3.24.  These bugs 
  +   will all be corrected with the next 2.0 beta.  Knowing all that, if you still 
  +   insist on trying the beta while waiting for the next, good release, you can 
  +   find 2.0.32 in the /dist/httpd/binaries/win32/.old/ location, with the other 
  +   old Win32 packages we do not recommend.</p>
   
   <p>If you discover a bug, first research carefully if it has been already
      <a href="http://bugs.apache.org/index.cgi/quick?PR=&quickfmt=regular&Category=any&Severity=any&Responsible=any&Class=any&State=any&search=text&qstring=2.0.32"
  
  
  
  1.17      +2 -2      httpd-dist/binaries/win32/HEADER.html
  
  Index: HEADER.html
  ===================================================================
  RCS file: /home/cvs/httpd-dist/binaries/win32/HEADER.html,v
  retrieving revision 1.16
  retrieving revision 1.17
  diff -u -r1.16 -r1.17
  --- HEADER.html	17 Feb 2002 03:29:22 -0000	1.16
  +++ HEADER.html	21 Mar 2002 22:15:40 -0000	1.17
  @@ -4,8 +4,8 @@
   <ul>
   <li><a href="#winsock">Windows 95 Apache Users Read This First</a></li>
   <li><a href="#xpbug">Windows XP Apache Users Read This First</a><br/></li>
  -<li><a href="#stable" style="color:green;">The current stable release is Apache 1.3.23</a></li>
  -<li><a href="#beta" style="color:red;">The current beta release is Apache 2.0.32</a><br/></li>
  +<li><a href="#stable" style="color:green;">The current stable release is Apache 1.3.24</a></li>
  +<li><a href="#beta" style="color:red;">The previous beta release was Apache 2.0.32</a><br/></li>
   <li><a href="#msi">MSI Binary Distribution Packages</a></li>
   <li><a href="TROUBLESHOOTING.html">Troubleshooting MSI Installation Problems</a></li>
   </ul>