httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stri...@apache.org
Subject cvs commit: httpd-site/xdocs download.xml index.xml
Date Wed, 09 Jul 2003 11:11:34 GMT
striker     2003/07/09 04:11:34

  Modified:    docs     download.html index.html
               xdocs    download.xml index.xml
  Log:
  Update for 2.0.47 release.
  
  Revision  Changes    Path
  1.26      +13 -21    httpd-site/docs/download.html
  
  Index: download.html
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/download.html,v
  retrieving revision 1.25
  retrieving revision 1.26
  diff -u -r1.25 -r1.26
  --- download.html	30 May 2003 21:15:38 -0000	1.25
  +++ download.html	9 Jul 2003 11:11:33 -0000	1.26
  @@ -105,16 +105,18 @@
    <tr><td bgcolor="#828DA6">
     <font color="#ffffff" face="arial,helvetica,sanserif">
      <a name="apache20"><strong>Apache
  -2.0.46 is the best available version</strong></a>
  +2.0.47 is the best available version</strong></a>
     </font>
    </td></tr>
    <tr><td>
     <blockquote>
   <p>This release fixes security problems described in
  -   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245">
  -   CAN-2003-0245</a> and 
  -   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189">
  -   CAN-2003-0189</a>.  It also contains bug fixes and some new features.
  +   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192">
  +   CAN-2003-0192</a>,
  +   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0253">
  +   CAN-2003-0253</a> and
  +   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0254">
  +   CAN-2003-0253</a>.  It also contains bug fixes and some new features.
      For details see the <a href="http://www.apache.org/dist/httpd/Announcement2.html">Official
      Announcement</a> and the <a href="[preferred]/httpd/CHANGES_2.0">CHANGES_2.0</a>
list.</p>
   <p>Apache 2.0 add-in modules are not compatible with Apache 1.3 modules.
  @@ -124,24 +126,14 @@
   <ul>
   
   <li>Unix Source: 
  -<a href="[preferred]/httpd/httpd-2.0.46.tar.gz">httpd-2.0.46.tar.gz</a> 
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.gz.asc">PGP</a>]
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.gz.md5">MD5</a>]</li>
  +<a href="[preferred]/httpd/httpd-2.0.47.tar.gz">httpd-2.0.47.tar.gz</a> 
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.47.tar.gz.asc">PGP</a>]
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.47.tar.gz.md5">MD5</a>]</li>
   
   <li>Unix Source: 
  -<a href="[preferred]/httpd/httpd-2.0.46.tar.Z">httpd-2.0.46.tar.Z</a> 
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.Z.asc">PGP</a>]
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.Z.md5">MD5</a>]</li>
  -
  -<li>Win32 Source: 
  -<a href="[preferred]/httpd/httpd-2.0.46-win32-src.zip">httpd-2.0.46-win32-src.zip</a>

  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46-win32-src.zip.asc">PGP</a>]
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46-win32-src.zip.md5">MD5</a>]</li>
  -
  -<li>Win32 Binary (MSI Installer): 
  -<a href="[preferred]/httpd/binaries/win32/apache_2.0.46-win32-x86-no_src.msi">apache_2.0.46-win32-x86-no_src.msi</a>
  -[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.46-win32-x86-no_src.msi.asc">PGP</a>]

  -[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.46-win32-x86-no_src.msi.md5">MD5</a>]</li>
  +<a href="[preferred]/httpd/httpd-2.0.47.tar.Z">httpd-2.0.47.tar.Z</a> 
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.47.tar.Z.asc">PGP</a>]
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.47.tar.Z.md5">MD5</a>]</li>
   
   <li><a href="[preferred]/httpd/">Other files</a></li>
   
  
  
  
  1.59      +18 -27    httpd-site/docs/index.html
  
  Index: index.html
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/index.html,v
  retrieving revision 1.58
  retrieving revision 1.59
  diff -u -r1.58 -r1.59
  --- index.html	15 Jun 2003 19:15:49 -0000	1.58
  +++ index.html	9 Jul 2003 11:11:34 -0000	1.59
  @@ -67,7 +67,7 @@
   efficient and extensible server that provides HTTP services in sync
   with the current HTTP standards.</p>
   <p>Apache has been the most popular web server on the Internet since
  -April of 1996.  The June 2003 <a href="http://news.netcraft.com/">Netcraft Web Server
Survey</a>
  +April of 1996.  The July 2003 <a href="http://news.netcraft.com/">Netcraft Web Server
Survey</a>
   found that 63% of the web sites on the Internet are using Apache, thus 
   making it more widely used than all other web servers combined.</p>
   <p>The Apache HTTP Server is a project of the <a href="http://www.apache.org/">Apache
Software Foundation</a>.</p>
  @@ -94,39 +94,30 @@
              <table border="0" cellspacing="0" cellpadding="2" width="100%">
    <tr><td bgcolor="#525D76">
     <font color="#ffffff" face="arial,helvetica,sanserif">
  -   <a name="2.0.46"><strong>Apache 2.0.46 Released</strong></a>
  +   <a name="2.0.47"><strong>Apache 2.0.47 Released</strong></a>
     </font>
    </td></tr>
    <tr><td>
     <blockquote>
   <p>The Apache HTTP Server Project is proud to <a href="http://www.apache.org/dist/httpd/Announcement2.html">announce</a>
the
  -ninth public release of Apache 2.0.</p>
  +tenth public release of Apache 2.0.</p>
   <p>This version of Apache is principally a security and bug fix release.
  -   Of particular note is that 2.0.46 addresses two security
  +   Of particular note is that 2.0.47 addresses four security
      vulnerabilities:</p>
  -<p>Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
  -   certain circumstances.  This can be triggered remotely through mod_dav
  -   and possibly other mechanisms.  The crash was originally reported by
  -   David Endler &lt;DEndler@iDefense.com&gt; and was researched and fixed by
  -   Joe Orton &lt;jorton@redhat.com&gt;.  Specific details and an analysis of the
  -   crash will be published Friday, May 30.  No more specific information
  -   is disclosed at this time, but all Apache 2.0 users are encouraged to
  -   upgrade now.<br />
  -   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245</a>]</code></p>
  -<p>Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
  -   vulnerable to a denial-of-service attack on the basic authentication
  -   module, which was reported by John Hughes &lt;john.hughes@entegrity.com&gt;.
  -   A bug in the configuration scripts caused the <code>apr_password_validate()</code>
  -   function to be thread-unsafe on platforms with <code>crypt_r()</code>, including
  -   AIX and Linux.  All versions of Apache 2.0 have this thread-safety
  -   problem on platforms with no <code>crypt_r()</code> and no thread-safe <code>crypt()</code>,
  -   such as Mac OS X and possibly others.  When using a threaded MPM (which
  -   is not the default on these platforms), this allows remote attackers
  -   to create a denial of service which causes valid usernames and
  -   passwords for Basic Authentication to fail until Apache is restarted.
  -   We do not believe this bug could allow unauthorized users to gain
  -   access to protected resources.<br />
  -   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189</a>]</code></p>
  +<p>Certain sequences of per-directory renegotiations and the SSLCipherSuite
  +   directive being used to upgrade from a weak ciphersuite to a strong one
  +   could result in the weak ciphersuite being used in place of the strong
  +   one.<br />
  +   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192">CAN-2003-0192</a>]</code></p>
  +<p>Certain errors returned by accept() on rarely accessed ports could cause
  +   temporal denial of service, due to a bug in the prefork MPM.<br />
  +   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0253">CAN-2003-0253</a>]</code></p>
  +<p>Denial of service was caused when target host is IPv6 but ftp proxy
  +   server can't create IPv6 socket.<br />
  +   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0254">CAN-2003-0254</a>]</code></p>
  +<p>The server would crash when going into an infinite loop due to too many
  +   subsequent internal redirects and nested subrequests.<br />
  +   <code>[VU#379828]</code></p>
   <p>For further details, see the <a href="http://www.apache.org/dist/httpd/Announcement2.html">announcement</a>.</p>
   <p align="center">
   <a href="download.cgi">Download</a> | 
  
  
  
  1.25      +13 -22    httpd-site/xdocs/download.xml
  
  Index: download.xml
  ===================================================================
  RCS file: /home/cvs/httpd-site/xdocs/download.xml,v
  retrieving revision 1.24
  retrieving revision 1.25
  diff -u -r1.24 -r1.25
  --- download.xml	30 May 2003 21:15:38 -0000	1.24
  +++ download.xml	9 Jul 2003 11:11:34 -0000	1.25
  @@ -52,13 +52,15 @@
   
   
   <section id="apache20"><title>Apache
  -2.0.46 is the best available version</title>
  +2.0.47 is the best available version</title>
   
   <p>This release fixes security problems described in
  -   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245">
  -   CAN-2003-0245</a> and 
  -   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189">
  -   CAN-2003-0189</a>.  It also contains bug fixes and some new features.
  +   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192">
  +   CAN-2003-0192</a>,
  +   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0253">
  +   CAN-2003-0253</a> and
  +   <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0254">
  +   CAN-2003-0253</a>.  It also contains bug fixes and some new features.
      For details see the <a
      href="http://www.apache.org/dist/httpd/Announcement2.html">Official
      Announcement</a> and the <a
  @@ -72,25 +74,14 @@
   <ul>
   
   <li>Unix Source: 
  -<a href="[preferred]/httpd/httpd-2.0.46.tar.gz">httpd-2.0.46.tar.gz</a> 
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.gz.asc">PGP</a>]
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.gz.md5">MD5</a>]</li>
  +<a href="[preferred]/httpd/httpd-2.0.47.tar.gz">httpd-2.0.47.tar.gz</a> 
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.47.tar.gz.asc">PGP</a>]
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.47.tar.gz.md5">MD5</a>]</li>
   
   <li>Unix Source: 
  -<a href="[preferred]/httpd/httpd-2.0.46.tar.Z">httpd-2.0.46.tar.Z</a> 
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.Z.asc">PGP</a>]
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46.tar.Z.md5">MD5</a>]</li>
  -
  -<li>Win32 Source: 
  -<a href="[preferred]/httpd/httpd-2.0.46-win32-src.zip">httpd-2.0.46-win32-src.zip</a>

  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46-win32-src.zip.asc">PGP</a>]
  -[<a href="http://www.apache.org/dist/httpd/httpd-2.0.46-win32-src.zip.md5">MD5</a>]</li>
  -
  -<li>Win32 Binary (MSI Installer): 
  -<a href="[preferred]/httpd/binaries/win32/apache_2.0.46-win32-x86-no_src.msi"
  ->apache_2.0.46-win32-x86-no_src.msi</a>
  -[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.46-win32-x86-no_src.msi.asc">PGP</a>]

  -[<a href="http://www.apache.org/dist/httpd/binaries/win32/apache_2.0.46-win32-x86-no_src.msi.md5">MD5</a>]</li>
  +<a href="[preferred]/httpd/httpd-2.0.47.tar.Z">httpd-2.0.47.tar.Z</a> 
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.47.tar.Z.asc">PGP</a>]
  +[<a href="http://www.apache.org/dist/httpd/httpd-2.0.47.tar.Z.md5">MD5</a>]</li>
   
   <li><a href="[preferred]/httpd/">Other files</a></li>
   
  
  
  
  1.44      +22 -29    httpd-site/xdocs/index.xml
  
  Index: index.xml
  ===================================================================
  RCS file: /home/cvs/httpd-site/xdocs/index.xml,v
  retrieving revision 1.43
  retrieving revision 1.44
  diff -u -r1.43 -r1.44
  --- index.xml	15 Jun 2003 19:15:49 -0000	1.43
  +++ index.xml	9 Jul 2003 11:11:34 -0000	1.44
  @@ -15,7 +15,7 @@
   with the current HTTP standards.</p>
   
   <p>Apache has been the most popular web server on the Internet since
  -April of 1996.  The June 2003 <a 
  +April of 1996.  The July 2003 <a 
   href="http://news.netcraft.com/">Netcraft Web Server Survey</a>
   found that 63% of the web sites on the Internet are using Apache, thus 
   making it more widely used than all other web servers combined.</p>
  @@ -37,41 +37,34 @@
   your downloads using PGP or MD5 signatures!</p>
   </section>
   
  -<section id="2.0.46">
  -<title>Apache 2.0.46 Released</title>
  +<section id="2.0.47">
  +<title>Apache 2.0.47 Released</title>
   
   <p>The Apache HTTP Server Project is proud to <a
   href="http://www.apache.org/dist/httpd/Announcement2.html">announce</a> the
  -ninth public release of Apache 2.0.</p>
  +tenth public release of Apache 2.0.</p>
   
   <p>This version of Apache is principally a security and bug fix release.
  -   Of particular note is that 2.0.46 addresses two security
  +   Of particular note is that 2.0.47 addresses four security
      vulnerabilities:</p>
   
  -<p>Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
  -   certain circumstances.  This can be triggered remotely through mod_dav
  -   and possibly other mechanisms.  The crash was originally reported by
  -   David Endler &lt;DEndler@iDefense.com&gt; and was researched and fixed by
  -   Joe Orton &lt;jorton@redhat.com&gt;.  Specific details and an analysis of the
  -   crash will be published Friday, May 30.  No more specific information
  -   is disclosed at this time, but all Apache 2.0 users are encouraged to
  -   upgrade now.<br />
  -   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245</a>]</code></p>
  -  
  -<p>Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
  -   vulnerable to a denial-of-service attack on the basic authentication
  -   module, which was reported by John Hughes &lt;john.hughes@entegrity.com&gt;.
  -   A bug in the configuration scripts caused the <code>apr_password_validate()</code>
  -   function to be thread-unsafe on platforms with <code>crypt_r()</code>, including
  -   AIX and Linux.  All versions of Apache 2.0 have this thread-safety
  -   problem on platforms with no <code>crypt_r()</code> and no thread-safe <code>crypt()</code>,
  -   such as Mac OS X and possibly others.  When using a threaded MPM (which
  -   is not the default on these platforms), this allows remote attackers
  -   to create a denial of service which causes valid usernames and
  -   passwords for Basic Authentication to fail until Apache is restarted.
  -   We do not believe this bug could allow unauthorized users to gain
  -   access to protected resources.<br />
  -   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189</a>]</code></p>
  +<p>Certain sequences of per-directory renegotiations and the SSLCipherSuite
  +   directive being used to upgrade from a weak ciphersuite to a strong one
  +   could result in the weak ciphersuite being used in place of the strong
  +   one.<br />
  +   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192">CAN-2003-0192</a>]</code></p>
  +
  +<p>Certain errors returned by accept() on rarely accessed ports could cause
  +   temporal denial of service, due to a bug in the prefork MPM.<br />
  +   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0253">CAN-2003-0253</a>]</code></p>
  +
  +<p>Denial of service was caused when target host is IPv6 but ftp proxy
  +   server can't create IPv6 socket.<br />
  +   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0254">CAN-2003-0254</a>]</code></p>
  +
  +<p>The server would crash when going into an infinite loop due to too many
  +   subsequent internal redirects and nested subrequests.<br />
  +   <code>[VU#379828]</code></p>
   
   <p>For further details, see the <a
   href="http://www.apache.org/dist/httpd/Announcement2.html">announcement</a>.</p>
  
  
  

Mime
View raw message