httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jwool...@apache.org
Subject cvs commit: httpd-site/xdocs Announcement download.xml index.xml
Date Wed, 28 May 2003 05:48:18 GMT
jwoolley    2003/05/27 22:48:18

  Modified:    docs     Announcement download.html index.html
               docs/apreq index.html
               xdocs    Announcement download.xml index.xml
  Log:
  get ready for 2.0.46
  
  Revision  Changes    Path
  1.14      +228 -187  httpd-site/docs/Announcement
  
  Index: Announcement
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/Announcement,v
  retrieving revision 1.13
  retrieving revision 1.14
  diff -u -d -u -r1.13 -r1.14
  --- Announcement	24 Sep 2002 22:31:08 -0000	1.13
  +++ Announcement	28 May 2003 05:48:18 -0000	1.14
  @@ -1,190 +1,231 @@
  -         Apache 2.0.42 Released
  ---------------------------------------------
   
  -The Apache HTTP Server Project is proud to announce the fifth public
  -release of Apache 2.0.  This is primarily a bug-fix release, including
  -updates to the experimental caching module, the removal of several
  -memory leaks, and fixes for several segfaults, one of which could have
  -been used as a denial-of-service against mod_dav.  A complete list of
  -the changes since 2.0.40 is given at the end of this document.
  +                       Apache 2.0.46 Released
   
  +   The Apache Software Foundation and the Apache HTTP Server Project are
  +   pleased to announce the ninth public release of the Apache 2.0
  +   HTTP Server.  This Announcement notes the significant changes in
  +   2.0.46 as compared to 2.0.45.
   
  -Apache 2.0 offers numerous enhancements, improvements, and performance
  -boosts over the 1.3 codebase.  The most visible and noteworthy addition
  -is the ability to run Apache in a hybrid thread/process mode on any
  -platform that supports both threads and processes.  This has been shown
  -to improve the scalability of the Apache HTTP Server significantly in
  -our testing.  Apache 2.0 also includes support for filtered I/O.  This
  -allows modules to modify the output of other modules before it is
  -sent to the client.  We have also included support for IPv6 on any
  -platform that supports IPv6.
   
  -This version of Apache is known to work on many versions of Unix, BeOS,
  -OS/2, Windows, and Netware.  Because of the many advances in Apache
  -2.0, it is expected to perform equally well on all supported platforms.
  -Apache 2.0 has been running on the apache.org website since December
  -of 2000 and has proven to be very reliable.
  +   This version of Apache is principally a security and bug fix release.
  +   A summary of the bug fixes is given at the end of this document.
  +   Of particular note is that 2.0.46 addresses two security
  +   vulnerabilities:
   
  -Apache has been the most popular web server on the Internet since
  -April of 1996. The August 2002 Web Server Survey by Netcraft (see
  -http://www.netcraft.com/survey/) found that more web servers were
  -using Apache than any other software; Apache runs on more than 63%
  -of the web servers on the Internet.
  +   Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
  +   certain circumstances.  This can be triggered remotely through mod_dav
  +   and possibly other mechanisms.  The crash was originally reported by
  +   David Endler <DEndler@iDefense.com> and was researched and fixed by
  +   Joe Orton <jorton@redhat.com>.  Specific details and an analysis of the
  +   crash will be published Friday, May 30.  No more specific information
  +   is disclosed at this time, but all Apache 2.0 users are encouraged to
  +   upgrade now.
  +   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]
  +  
  +   Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
  +   vulnerable to a denial-of-service attack on the basic authentication
  +   module, which was reported by John Hughes <john.hughes@entegrity.com>.
  +   A bug in the configuration scripts caused the apr_password_validate()
  +   function to be thread-unsafe on platforms with crypt_r(), including
  +   AIX and Linux.  All versions of Apache 2.0 have this thread-safety
  +   problem on platforms with no crypt_r() and no thread-safe crypt(),
  +   such as Mac OS X and possibly others.  When using a threaded MPM (which
  +   is not the default on these platforms), this allows remote attackers
  +   to create a denial of service which causes valid usernames and
  +   passwords for Basic Authentication to fail until Apache is restarted.
  +   We do not believe this bug could allow unauthorized users to gain
  +   access to protected resources.
  +   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]
   
  +   The Apache Software Foundation would like to thank David Endler
  +   and John Hughes for the responsible reporting of these issues.
   
  -We consider this release to be the best version of Apache available
  -and encourage users of all prior versions to upgrade.  When doing so,
  -please keep in mind the following:
   
  -This release is not binary-compatible with previous releases, so all
  -modules need to be recompiled in order to work with this version.  For
  -example, a module compiled to work with 2.0.40 will not work with 2.0.42.
  +   This release is compatible with modules compiled for 2.0.42 and later
  +   versions.  We consider this release to be the best version of Apache
  +   available and encourage users of all prior versions to upgrade.
   
  -If you intend to use Apache with one of the threaded MPMs, you must
  -ensure that the modules (and the libraries they depend on) that you
  -will be using are thread-safe.  Please contact the vendors of
  -these modules to obtain this information.
  +   Apache 2.0.46 is available for download from
   
  +     http://httpd.apache.org/download.cgi
   
  -For more information and to download the release tarballs, please
  -visit http://httpd.apache.org/
  +   Please see the CHANGES_2.0 file, linked from the above page, for
  +   a full list of changes.
   
  +   Apache 2.0 offers numerous enhancements, improvements, and performance
  +   boosts over the 1.3 codebase.  For an overview of new features introduced
  +   after 1.3 please see
   
  -Changes since 2.0.40
  ----------------------------------------------
  +     http://httpd.apache.org/docs-2.0/new_features_2_0.html
   
  -Changes with Apache 2.0.42
  +   When upgrading or installing this version of Apache, please keep
  +   in mind the following:
   
  -  *) mod_dav: Check for versioning hooks before using them.
  -     [Greg Stein]
  +   If you intend to use Apache with one of the threaded MPMs, you must
  +   ensure that the modules (and the libraries they depend on) that you
  +   will be using are thread-safe.  Please contact the vendors of these
  +   modules to obtain this information.
   
  -Changes with Apache 2.0.41
   
  -  *) The protocol version (eg: HTTP/1.1) in the request line parsing
  -     is now case insensitive. [Jim Jagielski]
  +                       Apache 2.0.46 Major changes
   
  -  *) Allow AddOutputFilterByType to add multiple filters per directive.
  -     [Justin Erenkrantz]
  +   Security vulnerabilities closed since Apache 2.0.45
   
  -  *) Remove warnings with Sun's Forte compiler.  [Justin Erenkrantz]
  +    *) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered
  +       remotely through mod_dav and possibly other mechanisms, causing
  +       an Apache child process to crash.  The crash was first reported
  +       by David Endler <DEndler@iDefense.com> and was researched and
  +       fixed by Joe Orton <jorton@redhat.com>.  Details will be released
  +       on 30 May 2003.
   
  -  *) Fixed mod_disk_cache's generation of 304s
  -     [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]
  +    *) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
  +       affecting basic authentication on Unix platforms related to
  +       thread-safety in apr_password_validate().  The problem was reported
  +       by John Hughes <john.hughes@entegrity.com>
   
  -  *) Add support for using fnmatch patterns in the final path
  -     segment of an Include statement (eg.. include /foo/bar/*.conf).
  -     and remove the noise on stderr during config dir processing.
  -     [Joe Orton <jorton@redhat.com>]
   
  -  *) mod_cache: cache_storage.c. Add the hostname and any request
  -     args to the key generated for caching. This provides a unique
  -     key for each virtual host and for each request with unique
  -     args. [Paul J. Reder, args code provided by Kris Verbeeck]
  +   Bugs fixed and features added since Apache 2.0.45
   
  -  *) mod_cache: Do not cache responses to GET requests with query
  -     URLs if the origin server does not explicitly provide an
  -     Expires header on the response (RFC 2616 Section 13.9)
  -     [Kris Verbeeck krisv@be.ubizen.com]
  +    *) Fix for mod_dav.  Call the 'can_be_activity' callback, if provided,
  +       when a MKACTIVITY request comes in.
  +       [Ben Collins-Sussman <sussman@collab.net>]
   
  -  *) Fix memory leak in core_output_filter.  [Justin Erenkrantz]
  +    *) Perform run-time query in apxs for apr and apr-util's includes.
  +       [Justin Erenkrantz] 
   
  -  *) Update OpenSSL detection to work on Darwin.
  -     [Sander Temme <sctemme@covalent.net>]
  +    *) run libtool from the apr install directory (in case that is different
  +       from the apache install directory) [Jeff Trawick]
   
  -  *) Update the xslt and css to give the documentation a more
  -     modern style.
  -     [André Malo <nd@perlig.de>, Gernot Winkler <greh@o3media.de>]
  +    *) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]
   
  -  *) Fix some bucket memory leaks in the chunking code
  -     [Joe Schaefer <joe+apache@sunstarsys.com>]
  +    *) If mod_mime_magic does not know the content-type, do not attempt to
  +       guess.  PR 16908.  [Andrew Gapon <agapon@telcordia.com>]
   
  -  *) Add ModMimeUsePathInfo directive.  [Justin Erenkrantz]
  +    *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
  +       caching. PR 17864.
  +       [Andreas Leimbacher <andreasl67@yahoo.de>, Madhusudan Mathihalli]
   
  -  *) mod_cache: added support for caching streamed responses (proxy,
  -     CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]
  +    *) Add a delete flag to htpasswd.
  +       [Thom May]
   
  -  *) Add image/x-icon to httpd.conf PR 10993.
  -     [Ian Holsman, Peter Bieringer <pb@bieringer.de>]
  +    *) Fix mod_rewrite's handling of absolute URIs. The escaping routines
  +       now work scheme dependent and the query string will only be
  +       appended if supported by the particular scheme.  [André Malo]
   
  -  *) Fix FileETags none operation.  PR 12207.
  -     [Justin Erenkrantz, Andrew Ho <andrew@tellme.com>]
  +    *) Add another check for already compressed content in mod_deflate.
  +       PR 19913. [Tsuyoshi SASAMOTO <nazonazo@super.win.ne.jp>]
   
  -  *) Restored the experimental leader/followers MPM to working
  -     condition and converted its thread synchronization from
  -     mutexes to atomic CAS.  [Brian Pane]
  +    *) Fixes for VPATH builds; copying special.mk and any future .mk files 
  +       from the source tree as well as the build tree (now creates a usable
  +       configuration for apxs), and eliminated redundant -I'nclude paths.
  +       [William Rowe]
   
  -  *) Fix Logic on non-html file removal in mod_deflate
  -     [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]
  +    *) Code fixes, constness corrections and ssl_toolkit_compat.h updates
  +       for SSLC and OpenSSL toolkit compatibility.  Still work remains to
  +       be done to cripple features based on the limitations of RSA's binary 
  +       distribution of their SSL-C toolkit.
  +       [William Rowe, Madhusudan Mathihalli, Jeff Trawick]
   
  -  *) Fix "ab -g"'s truncated year: the last digit was cut off.
  -     [Leon Brocard <acme@astray.com>]
  +    *) Linux 2.4+: If Apache is started as root and you code 
  +       CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
  +       [Greg Ames]
   
  -  *) mod_rewrite can now sets cookies in err_headers, uses the correct
  -     expiry date, and can now set the path as well
  -     PR 12132,12181,12172.
  -     [Ian Holsman / Rob Cromwell <apachechangelog@robcromwell.com>]
  +    *) ap_get_mime_headers_core: allocate space for the trailing null
  +       when folding is in effect.
  +       PR 18170 [Peter Mayne <PeterMayne@SPAM_SUX.ap.spherion.com>]
   
  -  *) The content-length filter no longer tries to buffer up
  -     the entire output of a long-running request before sending
  -     anything to the client.  [Brian Pane]
  +    *) Fix --enable-mods-shared=most and other variants.  [Aaron Bannert]
   
  -  *) Win32: Lower the default stack size from 1MB to 256K. This will
  -     allow around 8000 threads to be started per child process.
  -     'EDITBIN /STACK:size apache.exe' can be used to change this
  -     value directly in the apache.exe executable.
  -     [Bill Stoddard]
  +    *) mod_log_config: Add the ability to log the id of the thread 
  +       processing the request via new %P formats.  [Jeff Trawick]
   
  -  *) Win32: Implement ThreadLimit directive in the Windows MPM.
  -     [Bill Stoddard]
  +    *) Use appropriate language codes for Czech (cs) and Traditional Chinese
  +       (zh-tw) in default config files. PR 9427.  [André Malo]
   
  -  *) Remove CacheOn config directive since it is set but never checked.
  -     No sense wasting cycles on unused code. Besides, the only truly
  -     bug free code is deleted code. :)   [Paul J. Reder]
  +    *) mod_auth_ldap: Use generic whitespace character class when parsing
  +       "require" directives, instead of literal spaces only. PR 17135.
  +       [André Malo]
   
  -  *) BufferLogs are now run-time enabled, and the log_config now has 2 new
  -     callbacks to allow a 3rd party module to actually do the writing of the
  -     log file [Ian Holsman]
  +    *) Hook mod_rewrite's type checker before mod_mime's one. That way the
  +       RewriteRule [T=...] Flag should work as expected now. PR 19626.
  +       [André Malo]
   
  -  *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.
  -     [André Malo, Astrid Keßler <kess@kess-net.de>]
  +    *) htpasswd: Check the processed file on validity. If a line is not empty
  +       and not a comment, it must contain at least one colon. Otherwise exit
  +       with error code 7. [Kris Verbeeck <Kris.Verbeeck@ubizen.com>, Thom May]
   
  -  *) Fix Segfault in mod_cache. [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]
  +    *) Fix a problem that caused httpd to be linked with incorrect flags
  +       on some platforms when mod_so was enabled by default, breaking 
  +       DSOs on AIX.  PR 19012  [Jeff Trawick]
   
  -  *) Fix a null pointer dereference in the merge_env_dir_configs
  -     function of the mod_env module. PR 11791
  -     [Paul J. Reder]
  +    *) By default, use the same CC and CPP with which APR was built.
  +       The user can override with CC and CPP environment variables.
  +       [Jeff Trawick]
   
  -  *) New option to ServerTokens 'maj[or]'. Only show the major version
  -     Also Surfaced this directive in the standard config (default FULL)
  -     [Ian Holsman]
  +    *) Fix ap_construct_url() so that it surrounds IPv6 literal address
  +       strings with [].  This fixes certain types of redirection.
  +       PR 19207.  [Jeff Trawick]
   
  -  *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite
  -     maps.  The dbm type (e.g., ndbm, gdbm) can be specified on the
  -     RewriteMap directive.  PR 10644  [Jeff Trawick]
  +    *) forward port of buffer overflow fixes for htdigest. [Thom May]
   
  -  *) Fixed mod_rewrite's RewriteMap prg: support so that request/response
  -     pairs will no longer get out of sync with each other.  PR 9534
  -     [Cliff Woolley]
  +    *) Added AllowEncodedSlashes directive to permit control of whether
  +       the server will accept encoded slashes ('%2f') in the URI path.
  +       Default condition is off (the historical behaviour).  This permits
  +       environments in which the path-info needs to contain encoded
  +       slashes.  PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639.
  +       [Ken Coar]
   
  -  *) Fixes required to get quoted and escaped command args working in
  -     mod_ext_filter. PR 11793 [Paul J. Reder]
  +    *) When using Redirect in directory context, append requested query
  +       string if there's no one supplied by configuration. PR 10961.
  +       [André Malo]
   
  -  *) mod-proxy: handle proxied responses with no status lines
  -     [JD Silvester <jsilves@uwo.ca>, Brett Huttley <brett@huttley.net>]
  +    *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
  +       the pattern will not always match as desired. PR 12596.
  +       [André Malo]
   
  -  *) Fix bug where environment or command line arguments containing
  -     non-ASCII-7 characters would cause the Win32 child process creation
  -     to fail.  PR 11854  [William Rowe]
  +    *) mod_autoindex now emits and accepts modern query string parameter
  +       delimiters (;). Thus column headers no longer contain unescaped
  +       ampersands. PR 10880  [André Malo]
   
  -  *) Bug #11213.. make module loading error messages more informative
  -     [Ian Darwin <Ian779@darwinsys.com>]
  +    *) Enable ap_sock_disable_nagle for Windows. This along with the 
  +       addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle 
  +       to be disabled for Windows. [Allan Edwards]
   
  -  *) thread safety & proxy-ftp [Alexey Panchenko alexey@liwest.ru, Ian Holsman]
  +    *) Correct a mis-correlation between mpm_common.c and mpm_common.h;
  +       This patch reverts us to pre-2.0.46 behavior, using the 
  +       ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle 
  +       was never compiled on Win32. [Allan Edwards, William Rowe]
   
  -  *) mod_disk_cache works much better. This module should still
  -     be considered experimental. [Eric Prud'hommeaux]
  +    *) Fix a build problem with passing unsupported --enable-layout
  +       args to apr and apr-util.  This broke binbuild.sh as well as
  +       user-specified layout parameters.  PR 18649 [Justin Erenkrantz,
  +       Jeff Trawick]
  +
  +    *) If a Date response header was already set in the headers array,
  +       this value was ignored in favour of the current time. This meant
  +       that Date headers on proxied requests where rewritten when they
  +       should not have been. PR: 14376 [Graham Leggett]
  +
  +    *) Add code to buildconf that produces an httpd.spec file from
  +       httpd.spec.in, using build/get-version.sh from APR.
  +       [Graham Leggett]
  +
  +    *) Fixed a segfault when multiple ProxyBlock directives were used.
  +       PR: 19023 [Sami Tikka <sami.tikka@f-secure.com>]
  +
  +    *) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability 
  +       identified and reported by Robert Howard <rihoward@rawbw.com> that 
  +       where device names faulted the running OS2 worker process.
  +       The fix is actually in APR 0.9.4.  [Brian Havard]
  +
  +    *) Forward port: Escape special characters (especially control
  +       characters) in mod_log_config to make a clear distinction between
  +       client-supplied strings (with special characters) and server-side
  +       strings. This was already introduced in version 1.3.25.
  +       [André Malo]
  +
  +    *) mod_deflate: Check also err_headers_out for an already set
  +       Content-Encoding: gzip header. This prevents gzip compressed content
  +       from a CGI script from being compressed once more. PR 17797.
  +       [André Malo]
   
  -  *) Performance improvement for keepalive requests: when setting
  -     aside a small file for potential concatenation with the next
  -     response on the connection, set aside the file descriptor rather
  -     than copying the file into the heap.  [Brian Pane]
  
  
  
  1.24      +18 -19    httpd-site/docs/download.html
  
  Index: download.html
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/download.html,v
  retrieving revision 1.23
  retrieving revision 1.24
  diff -u -d -u -r1.23 -r1.24
  --- download.html	14 Apr 2003 18:19:17 -0000	1.23
  +++ download.html	28 May 2003 05:48:18 -0000	1.24
  @@ -105,17 +105,16 @@
    <tr><td bgcolor="#828DA6">
     <font color="#ffffff" face="arial,helvetica,sanserif">
      <a name="apache20"><strong>Apache
  -2.0.45 is the best available version</strong></a>
  +2.0.46 is the best available version</strong></a>
     </font>
    </td></tr>
    <tr><td>
     <blockquote>
  -<p>This release fixes security problems affecting the Windows platform
  -   described in
  -   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0016">
  -   CAN-2003-0016</a> and 
  -   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0017">
  -   CAN-2003-0017</a>.  It also contains bug fixes and some new features.
  +<p>This release fixes security problems described in
  +   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245">
  +   CAN-2003-0245</a> and 
  +   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189">
  +   CAN-2003-0189</a>.  It also contains bug fixes and some new features.
      For details see the <a href="http://www.apache.org/dist/httpd/Announcement2.html">Official
      Announcement</a> and the <a href="[preferred]/httpd/CHANGES_2.0">CHANGES_2.0</a> list.</p>
   <p>Apache 2.0 add-in modules are not compatible with Apache 1.3 modules.
  @@ -125,24 +124,24 @@
   <ul>
   
   <li>Unix Source: 
  -<a href="[preferred]/httpd/httpd-2.0.45.tar.gz">httpd-2.0.45.tar.gz</a> 
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.asc">PGP</a>]
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.md5">MD5</a>]</li>
  +<a href="[preferred]/httpd/httpd-2.0.46.tar.gz">httpd-2.0.46.tar.gz</a> 
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.gz.asc">PGP</a>]
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.gz.md5">MD5</a>]</li>
   
   <li>Unix Source: 
  -<a href="[preferred]/httpd/httpd-2.0.45.tar.Z">httpd-2.0.45.tar.Z</a> 
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.45.tar.Z.asc">PGP</a>]
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.45.tar.Z.md5">MD5</a>]</li>
  +<a href="[preferred]/httpd/httpd-2.0.46.tar.Z">httpd-2.0.46.tar.Z</a> 
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.Z.asc">PGP</a>]
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.Z.md5">MD5</a>]</li>
   
   <li>Win32 Source: 
  -<a href="[preferred]/httpd/httpd-2.0.45-win32-src.zip">httpd-2.0.45-win32-src.zip</a> 
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.45-win32-src.zip.asc">PGP</a>]
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.45-win32-src.zip.md5">MD5</a>]</li>
  +<a href="[preferred]/httpd/httpd-2.0.46-win32-src.zip">httpd-2.0.46-win32-src.zip</a> 
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46-win32-src.zip.asc">PGP</a>]
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46-win32-src.zip.md5">MD5</a>]</li>
   
   <li>Win32 Binary (MSI Installer): 
  -<a href="[preferred]/httpd/binaries/win32/apache_2.0.45-win32-x86-no_ssl.msi">apache_2.0.45-win32-x86-no_ssl.msi</a>
  -[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.45-win32-x86-no_ssl.msi.asc">PGP</a>] 
  -[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.45-win32-x86-no_ssl.msi.md5">MD5</a>]</li>
  +<a href="[preferred]/httpd/binaries/win32/apache_2.0.46-win32-x86-no_ssl.msi">apache_2.0.46-win32-x86-no_ssl.msi</a>
  +[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.46-win32-x86-no_ssl.msi.asc">PGP</a>] 
  +[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.46-win32-x86-no_ssl.msi.md5">MD5</a>]</li>
   
   <li><a href="[preferred]/httpd/">Other files</a></li>
   
  
  
  
  1.56      +32 -10    httpd-site/docs/index.html
  
  Index: index.html
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/index.html,v
  retrieving revision 1.55
  retrieving revision 1.56
  diff -u -d -u -r1.55 -r1.56
  --- index.html	1 Apr 2003 17:43:59 -0000	1.55
  +++ index.html	28 May 2003 05:48:18 -0000	1.56
  @@ -67,8 +67,8 @@
   efficient and extensible server that provides HTTP services in sync
   with the current HTTP standards.</p>
   <p>Apache has been the most popular web server on the Internet since
  -April of 1996.  The August 2002 <a href="http://www.netcraft.com/survey/">Netcraft Web Server Survey</a>
  -found that 63% of the web sites on the Internet are using Apache, thus 
  +April of 1996.  The May 2003 <a href="http://news.netcraft.com/">Netcraft Web Server Survey</a>
  +found that 62% of the web sites on the Internet are using Apache, thus 
   making it more widely used than all other web servers combined.</p>
   <p>The Apache HTTP Server is a project of the <a href="http://www.apache.org/">Apache Software Foundation</a>.</p>
     </blockquote>
  @@ -94,18 +94,40 @@
              <table border="0" cellspacing="0" cellpadding="2" width="100%">
    <tr><td bgcolor="#525D76">
     <font color="#ffffff" face="arial,helvetica,sanserif">
  -   <a name="2.0.45"><strong>Apache 2.0.45 Released</strong></a>
  +   <a name="2.0.46"><strong>Apache 2.0.46 Released</strong></a>
     </font>
    </td></tr>
    <tr><td>
     <blockquote>
  -<p>The Apache HTTP Server Project is proud to <a href="http://www.apache.org/dist/httpd/Announcement2.html">announce the
  -eighth public release of Apache 2.0</a>.</p>
  -<p>Since the new effort began with release 2.0.42 to retain configuration 
  -and module-interface stability in the Apache 2.0 series, there should be
  -no required changes in configuration or third-party module binaries to 
  -upgrade from 2.0.42 or later.  We continue to make every effort to maintain 
  -this easy upgrade path in future 2.0 releases.</p>
  +<p>The Apache HTTP Server Project is proud to <a href="http://www.apache.org/dist/httpd/Announcement2.html">announce</a> the
  +ninth public release of Apache 2.0.</p>
  +<p>This version of Apache is principally a security and bug fix release.
  +   Of particular note is that 2.0.46 addresses two security
  +   vulnerabilities:</p>
  +<p>Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
  +   certain circumstances.  This can be triggered remotely through mod_dav
  +   and possibly other mechanisms.  The crash was originally reported by
  +   David Endler &lt;DEndler@iDefense.com&gt; and was researched and fixed by
  +   Joe Orton &lt;jorton@redhat.com&gt;.  Specific details and an analysis of the
  +   crash will be published Friday, May 30.  No more specific information
  +   is disclosed at this time, but all Apache 2.0 users are encouraged to
  +   upgrade now.<br />
  +   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245</a>]</code></p>
  +<p>Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
  +   vulnerable to a denial-of-service attack on the basic authentication
  +   module, which was reported by John Hughes &lt;john.hughes@entegrity.com&gt;.
  +   A bug in the configuration scripts caused the <code>apr_password_validate()</code>
  +   function to be thread-unsafe on platforms with <code>crypt_r()</code>, including
  +   AIX and Linux.  All versions of Apache 2.0 have this thread-safety
  +   problem on platforms with no <code>crypt_r()</code> and no thread-safe <code>crypt()</code>,
  +   such as Mac OS X and possibly others.  When using a threaded MPM (which
  +   is not the default on these platforms), this allows remote attackers
  +   to create a denial of service which causes valid usernames and
  +   passwords for Basic Authentication to fail until Apache is restarted.
  +   We do not believe this bug could allow unauthorized users to gain
  +   access to protected resources.<br />
  +   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189</a>]</code></p>
  +<p>For further details, see the <a href="http://www.apache.org/dist/httpd/Announcement2.html">announcement</a>.</p>
   <p align="center">
   <a href="download.cgi">Download</a> | 
   <a href="docs-2.0/new_features_2_0.html">New Features in Apache 2.0</a> |
  
  
  
  1.9       +0 -0      httpd-site/docs/apreq/index.html
  
  Index: index.html
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/apreq/index.html,v
  retrieving revision 1.8
  retrieving revision 1.9
  diff -u -d -u -r1.8 -r1.9
  
  
  
  1.10      +228 -187  httpd-site/xdocs/Announcement
  
  Index: Announcement
  ===================================================================
  RCS file: /home/cvs/httpd-site/xdocs/Announcement,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -d -u -r1.9 -r1.10
  --- Announcement	24 Sep 2002 22:31:09 -0000	1.9
  +++ Announcement	28 May 2003 05:48:18 -0000	1.10
  @@ -1,190 +1,231 @@
  -         Apache 2.0.42 Released
  ---------------------------------------------
   
  -The Apache HTTP Server Project is proud to announce the fifth public
  -release of Apache 2.0.  This is primarily a bug-fix release, including
  -updates to the experimental caching module, the removal of several
  -memory leaks, and fixes for several segfaults, one of which could have
  -been used as a denial-of-service against mod_dav.  A complete list of
  -the changes since 2.0.40 is given at the end of this document.
  +                       Apache 2.0.46 Released
   
  +   The Apache Software Foundation and the Apache HTTP Server Project are
  +   pleased to announce the ninth public release of the Apache 2.0
  +   HTTP Server.  This Announcement notes the significant changes in
  +   2.0.46 as compared to 2.0.45.
   
  -Apache 2.0 offers numerous enhancements, improvements, and performance
  -boosts over the 1.3 codebase.  The most visible and noteworthy addition
  -is the ability to run Apache in a hybrid thread/process mode on any
  -platform that supports both threads and processes.  This has been shown
  -to improve the scalability of the Apache HTTP Server significantly in
  -our testing.  Apache 2.0 also includes support for filtered I/O.  This
  -allows modules to modify the output of other modules before it is
  -sent to the client.  We have also included support for IPv6 on any
  -platform that supports IPv6.
   
  -This version of Apache is known to work on many versions of Unix, BeOS,
  -OS/2, Windows, and Netware.  Because of the many advances in Apache
  -2.0, it is expected to perform equally well on all supported platforms.
  -Apache 2.0 has been running on the apache.org website since December
  -of 2000 and has proven to be very reliable.
  +   This version of Apache is principally a security and bug fix release.
  +   A summary of the bug fixes is given at the end of this document.
  +   Of particular note is that 2.0.46 addresses two security
  +   vulnerabilities:
   
  -Apache has been the most popular web server on the Internet since
  -April of 1996. The August 2002 Web Server Survey by Netcraft (see
  -http://www.netcraft.com/survey/) found that more web servers were
  -using Apache than any other software; Apache runs on more than 63%
  -of the web servers on the Internet.
  +   Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
  +   certain circumstances.  This can be triggered remotely through mod_dav
  +   and possibly other mechanisms.  The crash was originally reported by
  +   David Endler <DEndler@iDefense.com> and was researched and fixed by
  +   Joe Orton <jorton@redhat.com>.  Specific details and an analysis of the
  +   crash will be published Friday, May 30.  No more specific information
  +   is disclosed at this time, but all Apache 2.0 users are encouraged to
  +   upgrade now.
  +   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]
  +  
  +   Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
  +   vulnerable to a denial-of-service attack on the basic authentication
  +   module, which was reported by John Hughes <john.hughes@entegrity.com>.
  +   A bug in the configuration scripts caused the apr_password_validate()
  +   function to be thread-unsafe on platforms with crypt_r(), including
  +   AIX and Linux.  All versions of Apache 2.0 have this thread-safety
  +   problem on platforms with no crypt_r() and no thread-safe crypt(),
  +   such as Mac OS X and possibly others.  When using a threaded MPM (which
  +   is not the default on these platforms), this allows remote attackers
  +   to create a denial of service which causes valid usernames and
  +   passwords for Basic Authentication to fail until Apache is restarted.
  +   We do not believe this bug could allow unauthorized users to gain
  +   access to protected resources.
  +   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]
   
  +   The Apache Software Foundation would like to thank David Endler
  +   and John Hughes for the responsible reporting of these issues.
   
  -We consider this release to be the best version of Apache available
  -and encourage users of all prior versions to upgrade.  When doing so,
  -please keep in mind the following:
   
  -This release is not binary-compatible with previous releases, so all
  -modules need to be recompiled in order to work with this version.  For
  -example, a module compiled to work with 2.0.40 will not work with 2.0.42.
  +   This release is compatible with modules compiled for 2.0.42 and later
  +   versions.  We consider this release to be the best version of Apache
  +   available and encourage users of all prior versions to upgrade.
   
  -If you intend to use Apache with one of the threaded MPMs, you must
  -ensure that the modules (and the libraries they depend on) that you
  -will be using are thread-safe.  Please contact the vendors of
  -these modules to obtain this information.
  +   Apache 2.0.46 is available for download from
   
  +     http://httpd.apache.org/download.cgi
   
  -For more information and to download the release tarballs, please
  -visit http://httpd.apache.org/
  +   Please see the CHANGES_2.0 file, linked from the above page, for
  +   a full list of changes.
   
  +   Apache 2.0 offers numerous enhancements, improvements, and performance
  +   boosts over the 1.3 codebase.  For an overview of new features introduced
  +   after 1.3 please see
   
  -Changes since 2.0.40
  ----------------------------------------------
  +     http://httpd.apache.org/docs-2.0/new_features_2_0.html
   
  -Changes with Apache 2.0.42
  +   When upgrading or installing this version of Apache, please keep
  +   in mind the following:
   
  -  *) mod_dav: Check for versioning hooks before using them.
  -     [Greg Stein]
  +   If you intend to use Apache with one of the threaded MPMs, you must
  +   ensure that the modules (and the libraries they depend on) that you
  +   will be using are thread-safe.  Please contact the vendors of these
  +   modules to obtain this information.
   
  -Changes with Apache 2.0.41
   
  -  *) The protocol version (eg: HTTP/1.1) in the request line parsing
  -     is now case insensitive. [Jim Jagielski]
  +                       Apache 2.0.46 Major changes
   
  -  *) Allow AddOutputFilterByType to add multiple filters per directive.
  -     [Justin Erenkrantz]
  +   Security vulnerabilities closed since Apache 2.0.45
   
  -  *) Remove warnings with Sun's Forte compiler.  [Justin Erenkrantz]
  +    *) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered
  +       remotely through mod_dav and possibly other mechanisms, causing
  +       an Apache child process to crash.  The crash was first reported
  +       by David Endler <DEndler@iDefense.com> and was researched and
  +       fixed by Joe Orton <jorton@redhat.com>.  Details will be released
  +       on 30 May 2003.
   
  -  *) Fixed mod_disk_cache's generation of 304s
  -     [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]
  +    *) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
  +       affecting basic authentication on Unix platforms related to
  +       thread-safety in apr_password_validate().  The problem was reported
  +       by John Hughes <john.hughes@entegrity.com>
   
  -  *) Add support for using fnmatch patterns in the final path
  -     segment of an Include statement (eg.. include /foo/bar/*.conf).
  -     and remove the noise on stderr during config dir processing.
  -     [Joe Orton <jorton@redhat.com>]
   
  -  *) mod_cache: cache_storage.c. Add the hostname and any request
  -     args to the key generated for caching. This provides a unique
  -     key for each virtual host and for each request with unique
  -     args. [Paul J. Reder, args code provided by Kris Verbeeck]
  +   Bugs fixed and features added since Apache 2.0.45
   
  -  *) mod_cache: Do not cache responses to GET requests with query
  -     URLs if the origin server does not explicitly provide an
  -     Expires header on the response (RFC 2616 Section 13.9)
  -     [Kris Verbeeck krisv@be.ubizen.com]
  +    *) Fix for mod_dav.  Call the 'can_be_activity' callback, if provided,
  +       when a MKACTIVITY request comes in.
  +       [Ben Collins-Sussman <sussman@collab.net>]
   
  -  *) Fix memory leak in core_output_filter.  [Justin Erenkrantz]
  +    *) Perform run-time query in apxs for apr and apr-util's includes.
  +       [Justin Erenkrantz] 
   
  -  *) Update OpenSSL detection to work on Darwin.
  -     [Sander Temme <sctemme@covalent.net>]
  +    *) run libtool from the apr install directory (in case that is different
  +       from the apache install directory) [Jeff Trawick]
   
  -  *) Update the xslt and css to give the documentation a more
  -     modern style.
  -     [André Malo <nd@perlig.de>, Gernot Winkler <greh@o3media.de>]
  +    *) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]
   
  -  *) Fix some bucket memory leaks in the chunking code
  -     [Joe Schaefer <joe+apache@sunstarsys.com>]
  +    *) If mod_mime_magic does not know the content-type, do not attempt to
  +       guess.  PR 16908.  [Andrew Gapon <agapon@telcordia.com>]
   
  -  *) Add ModMimeUsePathInfo directive.  [Justin Erenkrantz]
  +    *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
  +       caching. PR 17864.
  +       [Andreas Leimbacher <andreasl67@yahoo.de>, Madhusudan Mathihalli]
   
  -  *) mod_cache: added support for caching streamed responses (proxy,
  -     CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]
  +    *) Add a delete flag to htpasswd.
  +       [Thom May]
   
  -  *) Add image/x-icon to httpd.conf PR 10993.
  -     [Ian Holsman, Peter Bieringer <pb@bieringer.de>]
  +    *) Fix mod_rewrite's handling of absolute URIs. The escaping routines
  +       now work scheme dependent and the query string will only be
  +       appended if supported by the particular scheme.  [André Malo]
   
  -  *) Fix FileETags none operation.  PR 12207.
  -     [Justin Erenkrantz, Andrew Ho <andrew@tellme.com>]
  +    *) Add another check for already compressed content in mod_deflate.
  +       PR 19913. [Tsuyoshi SASAMOTO <nazonazo@super.win.ne.jp>]
   
  -  *) Restored the experimental leader/followers MPM to working
  -     condition and converted its thread synchronization from
  -     mutexes to atomic CAS.  [Brian Pane]
  +    *) Fixes for VPATH builds; copying special.mk and any future .mk files 
  +       from the source tree as well as the build tree (now creates a usable
  +       configuration for apxs), and eliminated redundant -I'nclude paths.
  +       [William Rowe]
   
  -  *) Fix Logic on non-html file removal in mod_deflate
  -     [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]
  +    *) Code fixes, constness corrections and ssl_toolkit_compat.h updates
  +       for SSLC and OpenSSL toolkit compatibility.  Still work remains to
  +       be done to cripple features based on the limitations of RSA's binary 
  +       distribution of their SSL-C toolkit.
  +       [William Rowe, Madhusudan Mathihalli, Jeff Trawick]
   
  -  *) Fix "ab -g"'s truncated year: the last digit was cut off.
  -     [Leon Brocard <acme@astray.com>]
  +    *) Linux 2.4+: If Apache is started as root and you code 
  +       CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
  +       [Greg Ames]
   
  -  *) mod_rewrite can now sets cookies in err_headers, uses the correct
  -     expiry date, and can now set the path as well
  -     PR 12132,12181,12172.
  -     [Ian Holsman / Rob Cromwell <apachechangelog@robcromwell.com>]
  +    *) ap_get_mime_headers_core: allocate space for the trailing null
  +       when folding is in effect.
  +       PR 18170 [Peter Mayne <PeterMayne@SPAM_SUX.ap.spherion.com>]
   
  -  *) The content-length filter no longer tries to buffer up
  -     the entire output of a long-running request before sending
  -     anything to the client.  [Brian Pane]
  +    *) Fix --enable-mods-shared=most and other variants.  [Aaron Bannert]
   
  -  *) Win32: Lower the default stack size from 1MB to 256K. This will
  -     allow around 8000 threads to be started per child process.
  -     'EDITBIN /STACK:size apache.exe' can be used to change this
  -     value directly in the apache.exe executable.
  -     [Bill Stoddard]
  +    *) mod_log_config: Add the ability to log the id of the thread 
  +       processing the request via new %P formats.  [Jeff Trawick]
   
  -  *) Win32: Implement ThreadLimit directive in the Windows MPM.
  -     [Bill Stoddard]
  +    *) Use appropriate language codes for Czech (cs) and Traditional Chinese
  +       (zh-tw) in default config files. PR 9427.  [André Malo]
   
  -  *) Remove CacheOn config directive since it is set but never checked.
  -     No sense wasting cycles on unused code. Besides, the only truly
  -     bug free code is deleted code. :)   [Paul J. Reder]
  +    *) mod_auth_ldap: Use generic whitespace character class when parsing
  +       "require" directives, instead of literal spaces only. PR 17135.
  +       [André Malo]
   
  -  *) BufferLogs are now run-time enabled, and the log_config now has 2 new
  -     callbacks to allow a 3rd party module to actually do the writing of the
  -     log file [Ian Holsman]
  +    *) Hook mod_rewrite's type checker before mod_mime's one. That way the
  +       RewriteRule [T=...] Flag should work as expected now. PR 19626.
  +       [André Malo]
   
  -  *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.
  -     [André Malo, Astrid Keßler <kess@kess-net.de>]
  +    *) htpasswd: Check the processed file on validity. If a line is not empty
  +       and not a comment, it must contain at least one colon. Otherwise exit
  +       with error code 7. [Kris Verbeeck <Kris.Verbeeck@ubizen.com>, Thom May]
   
  -  *) Fix Segfault in mod_cache. [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]
  +    *) Fix a problem that caused httpd to be linked with incorrect flags
  +       on some platforms when mod_so was enabled by default, breaking 
  +       DSOs on AIX.  PR 19012  [Jeff Trawick]
   
  -  *) Fix a null pointer dereference in the merge_env_dir_configs
  -     function of the mod_env module. PR 11791
  -     [Paul J. Reder]
  +    *) By default, use the same CC and CPP with which APR was built.
  +       The user can override with CC and CPP environment variables.
  +       [Jeff Trawick]
   
  -  *) New option to ServerTokens 'maj[or]'. Only show the major version
  -     Also Surfaced this directive in the standard config (default FULL)
  -     [Ian Holsman]
  +    *) Fix ap_construct_url() so that it surrounds IPv6 literal address
  +       strings with [].  This fixes certain types of redirection.
  +       PR 19207.  [Jeff Trawick]
   
  -  *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite
  -     maps.  The dbm type (e.g., ndbm, gdbm) can be specified on the
  -     RewriteMap directive.  PR 10644  [Jeff Trawick]
  +    *) forward port of buffer overflow fixes for htdigest. [Thom May]
   
  -  *) Fixed mod_rewrite's RewriteMap prg: support so that request/response
  -     pairs will no longer get out of sync with each other.  PR 9534
  -     [Cliff Woolley]
  +    *) Added AllowEncodedSlashes directive to permit control of whether
  +       the server will accept encoded slashes ('%2f') in the URI path.
  +       Default condition is off (the historical behaviour).  This permits
  +       environments in which the path-info needs to contain encoded
  +       slashes.  PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639.
  +       [Ken Coar]
   
  -  *) Fixes required to get quoted and escaped command args working in
  -     mod_ext_filter. PR 11793 [Paul J. Reder]
  +    *) When using Redirect in directory context, append requested query
  +       string if there's no one supplied by configuration. PR 10961.
  +       [André Malo]
   
  -  *) mod-proxy: handle proxied responses with no status lines
  -     [JD Silvester <jsilves@uwo.ca>, Brett Huttley <brett@huttley.net>]
  +    *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
  +       the pattern will not always match as desired. PR 12596.
  +       [André Malo]
   
  -  *) Fix bug where environment or command line arguments containing
  -     non-ASCII-7 characters would cause the Win32 child process creation
  -     to fail.  PR 11854  [William Rowe]
  +    *) mod_autoindex now emits and accepts modern query string parameter
  +       delimiters (;). Thus column headers no longer contain unescaped
  +       ampersands. PR 10880  [André Malo]
   
  -  *) Bug #11213.. make module loading error messages more informative
  -     [Ian Darwin <Ian779@darwinsys.com>]
  +    *) Enable ap_sock_disable_nagle for Windows. This along with the 
  +       addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle 
  +       to be disabled for Windows. [Allan Edwards]
   
  -  *) thread safety & proxy-ftp [Alexey Panchenko alexey@liwest.ru, Ian Holsman]
  +    *) Correct a mis-correlation between mpm_common.c and mpm_common.h;
  +       This patch reverts us to pre-2.0.46 behavior, using the 
  +       ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle 
  +       was never compiled on Win32. [Allan Edwards, William Rowe]
   
  -  *) mod_disk_cache works much better. This module should still
  -     be considered experimental. [Eric Prud'hommeaux]
  +    *) Fix a build problem with passing unsupported --enable-layout
  +       args to apr and apr-util.  This broke binbuild.sh as well as
  +       user-specified layout parameters.  PR 18649 [Justin Erenkrantz,
  +       Jeff Trawick]
  +
  +    *) If a Date response header was already set in the headers array,
  +       this value was ignored in favour of the current time. This meant
  +       that Date headers on proxied requests where rewritten when they
  +       should not have been. PR: 14376 [Graham Leggett]
  +
  +    *) Add code to buildconf that produces an httpd.spec file from
  +       httpd.spec.in, using build/get-version.sh from APR.
  +       [Graham Leggett]
  +
  +    *) Fixed a segfault when multiple ProxyBlock directives were used.
  +       PR: 19023 [Sami Tikka <sami.tikka@f-secure.com>]
  +
  +    *) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability 
  +       identified and reported by Robert Howard <rihoward@rawbw.com> that 
  +       where device names faulted the running OS2 worker process.
  +       The fix is actually in APR 0.9.4.  [Brian Havard]
  +
  +    *) Forward port: Escape special characters (especially control
  +       characters) in mod_log_config to make a clear distinction between
  +       client-supplied strings (with special characters) and server-side
  +       strings. This was already introduced in version 1.3.25.
  +       [André Malo]
  +
  +    *) mod_deflate: Check also err_headers_out for an already set
  +       Content-Encoding: gzip header. This prevents gzip compressed content
  +       from a CGI script from being compressed once more. PR 17797.
  +       [André Malo]
   
  -  *) Performance improvement for keepalive requests: when setting
  -     aside a small file for potential concatenation with the next
  -     response on the connection, set aside the file descriptor rather
  -     than copying the file into the heap.  [Brian Pane]
  
  
  
  1.23      +19 -20    httpd-site/xdocs/download.xml
  
  Index: download.xml
  ===================================================================
  RCS file: /home/cvs/httpd-site/xdocs/download.xml,v
  retrieving revision 1.22
  retrieving revision 1.23
  diff -u -d -u -r1.22 -r1.23
  --- download.xml	14 Apr 2003 18:19:17 -0000	1.22
  +++ download.xml	28 May 2003 05:48:18 -0000	1.23
  @@ -52,14 +52,13 @@
   
   
   <section id="apache20"><title>Apache
  -2.0.45 is the best available version</title>
  +2.0.46 is the best available version</title>
   
  -<p>This release fixes security problems affecting the Windows platform
  -   described in
  -   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0016">
  -   CAN-2003-0016</a> and 
  -   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0017">
  -   CAN-2003-0017</a>.  It also contains bug fixes and some new features.
  +<p>This release fixes security problems described in
  +   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245">
  +   CAN-2003-0245</a> and 
  +   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189">
  +   CAN-2003-0189</a>.  It also contains bug fixes and some new features.
      For details see the <a
      href="http://www.apache.org/dist/httpd/Announcement2.html">Official
      Announcement</a> and the <a
  @@ -73,25 +72,25 @@
   <ul>
   
   <li>Unix Source: 
  -<a href="[preferred]/httpd/httpd-2.0.45.tar.gz">httpd-2.0.45.tar.gz</a> 
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.asc">PGP</a>]
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.md5">MD5</a>]</li>
  +<a href="[preferred]/httpd/httpd-2.0.46.tar.gz">httpd-2.0.46.tar.gz</a> 
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.gz.asc">PGP</a>]
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.gz.md5">MD5</a>]</li>
   
   <li>Unix Source: 
  -<a href="[preferred]/httpd/httpd-2.0.45.tar.Z">httpd-2.0.45.tar.Z</a> 
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.45.tar.Z.asc">PGP</a>]
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.45.tar.Z.md5">MD5</a>]</li>
  +<a href="[preferred]/httpd/httpd-2.0.46.tar.Z">httpd-2.0.46.tar.Z</a> 
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.Z.asc">PGP</a>]
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.Z.md5">MD5</a>]</li>
   
   <li>Win32 Source: 
  -<a href="[preferred]/httpd/httpd-2.0.45-win32-src.zip">httpd-2.0.45-win32-src.zip</a> 
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.45-win32-src.zip.asc">PGP</a>]
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.45-win32-src.zip.md5">MD5</a>]</li>
  +<a href="[preferred]/httpd/httpd-2.0.46-win32-src.zip">httpd-2.0.46-win32-src.zip</a> 
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46-win32-src.zip.asc">PGP</a>]
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46-win32-src.zip.md5">MD5</a>]</li>
   
   <li>Win32 Binary (MSI Installer): 
  -<a href="[preferred]/httpd/binaries/win32/apache_2.0.45-win32-x86-no_ssl.msi"
  ->apache_2.0.45-win32-x86-no_ssl.msi</a>
  -[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.45-win32-x86-no_ssl.msi.asc">PGP</a>] 
  -[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.45-win32-x86-no_ssl.msi.md5">MD5</a>]</li>
  +<a href="[preferred]/httpd/binaries/win32/apache_2.0.46-win32-x86-no_ssl.msi"
  +>apache_2.0.46-win32-x86-no_ssl.msi</a>
  +[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.46-win32-x86-no_ssl.msi.asc">PGP</a>] 
  +[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.46-win32-x86-no_ssl.msi.md5">MD5</a>]</li>
   
   <li><a href="[preferred]/httpd/">Other files</a></li>
   
  
  
  
  1.41      +38 -12    httpd-site/xdocs/index.xml
  
  Index: index.xml
  ===================================================================
  RCS file: /home/cvs/httpd-site/xdocs/index.xml,v
  retrieving revision 1.40
  retrieving revision 1.41
  diff -u -d -u -r1.40 -r1.41
  --- index.xml	1 Apr 2003 16:26:27 -0000	1.40
  +++ index.xml	28 May 2003 05:48:18 -0000	1.41
  @@ -15,9 +15,9 @@
   with the current HTTP standards.</p>
   
   <p>Apache has been the most popular web server on the Internet since
  -April of 1996.  The August 2002 <a 
  -href="http://www.netcraft.com/survey/">Netcraft Web Server Survey</a>
  -found that 63% of the web sites on the Internet are using Apache, thus 
  +April of 1996.  The May 2003 <a 
  +href="http://news.netcraft.com/">Netcraft Web Server Survey</a>
  +found that 62% of the web sites on the Internet are using Apache, thus 
   making it more widely used than all other web servers combined.</p>
   
   <p>The Apache HTTP Server is a project of the <a
  @@ -37,18 +37,44 @@
   your downloads using PGP or MD5 signatures!</p>
   </section>
   
  -<section id="2.0.45">
  -<title>Apache 2.0.45 Released</title>
  +<section id="2.0.46">
  +<title>Apache 2.0.46 Released</title>
   
   <p>The Apache HTTP Server Project is proud to <a
  -href="http://www.apache.org/dist/httpd/Announcement2.html">announce the
  -eighth public release of Apache 2.0</a>.</p>
  +href="http://www.apache.org/dist/httpd/Announcement2.html">announce</a> the
  +ninth public release of Apache 2.0.</p>
   
  -<p>Since the new effort began with release 2.0.42 to retain configuration 
  -and module-interface stability in the Apache 2.0 series, there should be
  -no required changes in configuration or third-party module binaries to 
  -upgrade from 2.0.42 or later.  We continue to make every effort to maintain 
  -this easy upgrade path in future 2.0 releases.</p>
  +<p>This version of Apache is principally a security and bug fix release.
  +   Of particular note is that 2.0.46 addresses two security
  +   vulnerabilities:</p>
  +
  +<p>Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
  +   certain circumstances.  This can be triggered remotely through mod_dav
  +   and possibly other mechanisms.  The crash was originally reported by
  +   David Endler &lt;DEndler@iDefense.com&gt; and was researched and fixed by
  +   Joe Orton &lt;jorton@redhat.com&gt;.  Specific details and an analysis of the
  +   crash will be published Friday, May 30.  No more specific information
  +   is disclosed at this time, but all Apache 2.0 users are encouraged to
  +   upgrade now.<br />
  +   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245</a>]</code></p>
  +  
  +<p>Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
  +   vulnerable to a denial-of-service attack on the basic authentication
  +   module, which was reported by John Hughes &lt;john.hughes@entegrity.com&gt;.
  +   A bug in the configuration scripts caused the <code>apr_password_validate()</code>
  +   function to be thread-unsafe on platforms with <code>crypt_r()</code>, including
  +   AIX and Linux.  All versions of Apache 2.0 have this thread-safety
  +   problem on platforms with no <code>crypt_r()</code> and no thread-safe <code>crypt()</code>,
  +   such as Mac OS X and possibly others.  When using a threaded MPM (which
  +   is not the default on these platforms), this allows remote attackers
  +   to create a denial of service which causes valid usernames and
  +   passwords for Basic Authentication to fail until Apache is restarted.
  +   We do not believe this bug could allow unauthorized users to gain
  +   access to protected resources.<br />
  +   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189</a>]</code></p>
  +
  +<p>For further details, see the <a
  +href="http://www.apache.org/dist/httpd/Announcement2.html">announcement</a>.</p>
   
   <p align="center">
   <a href="download.cgi">Download</a> | 
  
  
  

Mime
View raw message