httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject cvs commit: httpd-dist Announcement2.txt
Date Wed, 15 Sep 2004 10:59:17 GMT
jorton      2004/09/15 03:59:17

  Modified:    .        Announcement2.txt
  Log:
  Draft text with feedback from Sander & Mark.
  
  Revision  Changes    Path
  1.43      +35 -21    httpd-dist/Announcement2.txt
  
  Index: Announcement2.txt
  ===================================================================
  RCS file: /home/cvs/httpd-dist/Announcement2.txt,v
  retrieving revision 1.42
  retrieving revision 1.43
  diff -d -w -u -r1.42 -r1.43
  --- Announcement2.txt	1 Jul 2004 16:55:41 -0000	1.42
  +++ Announcement2.txt	15 Sep 2004 10:59:17 -0000	1.43
  @@ -1,32 +1,46 @@
   
  -                   Apache HTTP Server 2.0.50 Released
  +                   Apache HTTP Server 2.0.51 Released
   
      The Apache Software Foundation and the  The Apache HTTP Server Project are
  -   pleased to announce the release of version 2.0.50 of the Apache HTTP
  +   pleased to announce the release of version 2.0.51 of the Apache HTTP
      Server ("Apache").  This Announcement notes the significant changes
  -   in 2.0.50 as compared to 2.0.49.  The Announcement is also available in
  -   German and Japanese from:
  +   in 2.0.51 as compared to 2.0.50.
        
  -     http://www.apache.org/dist/httpd/Announcement2.txt.de
  -     http://www.apache.org/dist/httpd/Announcement2.txt.ja
  +   This version of Apache is principally a bug fix release.  Of
  +   particular note is that 2.0.51 addresses five security
  +   vulnerabilities:
   
  -   This version of Apache is principally a bug fix release.  A summary of
  -   the bug fixes is given at the end of this document.  Of particular
  -   note is that 2.0.50 addresses two security vulnerabilities:
  +     An input validation issue in IPv6 literal address parsing which
  +     can result in a negative length parameter being passed to memcpy.
  +     [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786]
   
  -     A remotely triggered memory leak in http header parsing can allow a
  -     denial of service attack due to excessive memory consumption.
  -     [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493]
  +     A buffer overflow in configuration file parsing could allow a
  +     local user to gain the privileges of a httpd child if the server
  +     can be forced to parse a carefully crafted .htaccess file.
  +     [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747]
   
  -     Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a
  -     (trusted) client certificate subject DN which exceeds 6K in length.
  -     [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488]
  +     A segfault in mod_ssl which can be triggered by a malicious
  +     remote server, if proxying to SSL servers has been configured.
  +     [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751]
    
  -   This release is compatible with modules compiled for 2.0.42 and later
  -   versions.  We consider this release to be the best version of Apache
  -   available and encourage users of all prior versions to upgrade.
  +     A potential infinite loop in mod_ssl which could be triggered 
  +     given particular timing of a connection abort.
  +     [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748]
   
  -   Apache HTTP Server 2.0.50 is available for download from
  +     A segfault in mod_dav_fs which can be remotely triggered by an
  +     indirect lock refresh request.
  +     [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809]
  + 
  +   The Apache HTTP Server Project would like to thank Codenomicon for
  +   supplying copies of their "HTTP Test Tool", using which one of the
  +   above issues was discovered (CVE CAN-2004-0786).
  +
  +   This release is compatible with modules compiled for 2.0.42 and
  +   later versions.  We consider this release to be the best version of
  +   Apache available and encourage users of all prior versions to
  +   upgrade.
  +
  +   Apache HTTP Server 2.0.51 is available for download from
   
        http://httpd.apache.org/download.cgi
   
  
  
  

Mime
View raw message