httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject cvs commit: httpd-site/xdocs index.xml
Date Tue, 11 May 2004 12:43:50 GMT
jim         2004/05/11 05:43:50

  Modified:    docs     index.html
               xdocs    index.xml
  Log:
  Getting more ready for 1.3.31
  
  Revision  Changes    Path
  1.74      +24 -13    httpd-site/docs/index.html
  
  Index: index.html
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/index.html,v
  retrieving revision 1.73
  retrieving revision 1.74
  diff -u -r1.73 -r1.74
  --- index.html	19 Mar 2004 21:51:20 -0000	1.73
  +++ index.html	11 May 2004 12:43:49 -0000	1.74
  @@ -94,21 +94,21 @@
              <table border="0" cellspacing="0" cellpadding="2" width="100%">
    <tr><td bgcolor="#525D76">
     <font color="#ffffff" face="arial,helvetica,sanserif">
  -   <a name="bugnotice"><strong>Important Bug Workaround for 2.0.48 and 1.3.29</strong></a>
  +   <a name="bugnotice"><strong>Important Bug Workaround for 2.0.48 and 1.3.31</strong></a>
     </font>
    </td></tr>
    <tr><td>
     <blockquote>
   <p>If you use mod_usertrack with the default
   <a href="http://httpd.apache.org/docs-2.0/mod/mod_usertrack.html#cookiename">CookieName</a>
(ie, there is no CookieName directive in your config file), then
  -you will encounter a bug in 2.0.48 and 1.3.29.
  +you will encounter a bug in 2.0.48 and 1.3.31.
   </p>
   <p>The patch that was added to these versions to help prevent false-positive
   matches of the CookieName did not take into account this case, and therefore
   the regular expression that is now used in the matching process will be NULL
   if no CookieName directive was encountered.</p>
  -<p>This problem will be fixed in both 2.0.49 and 1.3.30 when they are
  -released.  As a simple workaround in 2.0.48 and 1.3.29, simply add the
  +<p>This problem has been fixed in both 2.0.49 and 1.3.31.
  +As a simple workaround in 2.0.48 and 1.3.29, simply add the
   line:
   </p>
   <p><b><code>CookieName Apache</code></b></p>
  @@ -162,27 +162,38 @@
              <table border="0" cellspacing="0" cellpadding="2" width="100%">
    <tr><td bgcolor="#525D76">
     <font color="#ffffff" face="arial,helvetica,sanserif">
  -   <a name="1.3.29"><strong>Apache 1.3.29 Released</strong></a>
  +   <a name="1.3.31"><strong>Apache 1.3.31 Released</strong></a>
     </font>
    </td></tr>
    <tr><td>
     <blockquote>
   <p>The Apache Group is pleased to announce the <a href="http://www.apache.org/dist/httpd/Announcement.html">release
of the 
  -1.3.29 version of the Apache HTTP Server</a>. (German translation
  -<a href="http://www.apache.org/dist/httpd/Announcement.html.de">here</a>)
  +1.3.31 version of the Apache HTTP Server</a>.
   </p>
   <p>This version of Apache is principally a security and bug fix
  -release.  Of particular note is that 1.3.29 addresses and fixes the
  -following issue:</p>
  -<p>A buffer overflow could occur in mod_alias and mod_rewrite when
  -   a regular expression with more than 9 captures is configured.<br />
  -   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542">CAN-2003-0542</a>]</code></p>
  +release.  Of particular note is that 1.3.31 addresses and fixes the
  +following 4 security related issues:</p>
  +<p>In <code>mod_digest</code>, verify whether the nonce returned in the
client 
  +       response is one we issued ourselves.  This problem does not affect
  +       <code>mod_auth_digest</code>.<br. />
  +       <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">CAN-2003-0987
(cve.mitre.org)</a>]</code></p>
  +<p>Escape arbitrary data before writing into the errorlog.<br />
  +       <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020
(cve.mitre.org)</a>]</code></p>
  +<p>Fix starvation issue on listening sockets where a short-lived
  +       connection on a rarely-accessed listening socket will cause a
  +       child to hold the accept mutex and block out new connections until
  +       another connection arrives on that rarely-accessed listening socket.<br />
  +       <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174">CAN-2004-0174
(cve.mitre.org)</a>]</code></p>
  +<p>Fix parsing of Allow/Deny rules using IP addresses without a
  +       netmask; issue is only known to affect big-endian 64-bit
  +       platforms<br />
  +       <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993">CAN-2003-0993
(cve.mitre.org)</a>]</code></p>
   <p align="center">
   
   <a href="download.cgi">Download</a> | 
   <a href="docs/windows.html">Apache for Win32</a> |
   <a href="docs/new_features_1_3.html">New Features in Apache 1.3</a> |
  -<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.29</a>
  +<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.31</a>
   </p>
     </blockquote>
    </td></tr>
  
  
  
  1.54      +28 -14    httpd-site/xdocs/index.xml
  
  Index: index.xml
  ===================================================================
  RCS file: /home/cvs/httpd-site/xdocs/index.xml,v
  retrieving revision 1.53
  retrieving revision 1.54
  diff -u -r1.53 -r1.54
  --- index.xml	19 Mar 2004 21:51:20 -0000	1.53
  +++ index.xml	11 May 2004 12:43:49 -0000	1.54
  @@ -38,11 +38,11 @@
   </section>
   
   <section id="bugnotice">
  -<title>Important Bug Workaround for 2.0.48 and 1.3.29</title>
  +<title>Important Bug Workaround for 2.0.48 and 1.3.31</title>
   
   <p>If you use mod_usertrack with the default
   <a href="http://httpd.apache.org/docs-2.0/mod/mod_usertrack.html#cookiename">CookieName</a>
(ie, there is no CookieName directive in your config file), then
  -you will encounter a bug in 2.0.48 and 1.3.29.
  +you will encounter a bug in 2.0.48 and 1.3.31.
   </p>
   
   <p>The patch that was added to these versions to help prevent false-positive
  @@ -50,8 +50,8 @@
   the regular expression that is now used in the matching process will be NULL
   if no CookieName directive was encountered.</p>
   
  -<p>This problem will be fixed in both 2.0.49 and 1.3.30 when they are
  -released.  As a simple workaround in 2.0.48 and 1.3.29, simply add the
  +<p>This problem has been fixed in both 2.0.49 and 1.3.31.
  +As a simple workaround in 2.0.48 and 1.3.29, simply add the
   line:
   </p>
   
  @@ -107,29 +107,43 @@
   
   </section>
   
  -<section id="1.3.29">
  -<title>Apache 1.3.29 Released</title>
  +<section id="1.3.31">
  +<title>Apache 1.3.31 Released</title>
   
   <p>The Apache Group is pleased to announce the <a 
   href="http://www.apache.org/dist/httpd/Announcement.html">release of the 
  -1.3.29 version of the Apache HTTP Server</a>. (German translation
  -<a href="http://www.apache.org/dist/httpd/Announcement.html.de">here</a>)
  +1.3.31 version of the Apache HTTP Server</a>.
   </p>
   
   <p>This version of Apache is principally a security and bug fix
  -release.  Of particular note is that 1.3.29 addresses and fixes the
  -following issue:</p>
  +release.  Of particular note is that 1.3.31 addresses and fixes the
  +following 4 security related issues:</p>
   
  -<p>A buffer overflow could occur in mod_alias and mod_rewrite when
  -   a regular expression with more than 9 captures is configured.<br />
  -   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542">CAN-2003-0542</a>]</code></p>
  +<p>In <code>mod_digest</code>, verify whether the nonce returned in the
client 
  +       response is one we issued ourselves.  This problem does not affect
  +       <code>mod_auth_digest</code>.<br./>
  +       <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">CAN-2003-0987
(cve.mitre.org)</a>]</code></p>
  +
  +<p>Escape arbitrary data before writing into the errorlog.<br/>
  +       <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020
(cve.mitre.org)</a>]</code></p>
  +
  +<p>Fix starvation issue on listening sockets where a short-lived
  +       connection on a rarely-accessed listening socket will cause a
  +       child to hold the accept mutex and block out new connections until
  +       another connection arrives on that rarely-accessed listening socket.<br/>
  +       <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174">CAN-2004-0174
(cve.mitre.org)</a>]</code></p>
  +
  +<p>Fix parsing of Allow/Deny rules using IP addresses without a
  +       netmask; issue is only known to affect big-endian 64-bit
  +       platforms<br/>
  +       <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993">CAN-2003-0993
(cve.mitre.org)</a>]</code></p>
   
   <p align="center">
   
   <a href="download.cgi">Download</a> | 
   <a href="docs/windows.html">Apache for Win32</a> |
   <a href="docs/new_features_1_3.html">New Features in Apache 1.3</a> |
  -<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.29</a>
  +<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.31</a>
   </p>
   </section>
   
  
  
  

Mime
View raw message