Return-Path: 
 <cvs-return-20115-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: (qmail 61342 invoked from network); 15 Sep 2004 13:25:08 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 15 Sep 2004 13:25:08 -0000
Received: (qmail 47880 invoked by uid 500); 15 Sep 2004 13:25:07 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 47806 invoked by uid 500); 15 Sep 2004 13:25:06 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
list-post: <mailto:cvs@httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 47791 invoked by uid 500); 15 Sep 2004 13:25:06 -0000
Delivered-To: apmail-httpd-dist-cvs@apache.org
Received: (qmail 47788 invoked by uid 99); 15 Sep 2004 13:25:06 -0000
X-ASF-Spam-Status: No, hits=-10.0 required=10.0
	tests=ALL_TRUSTED,NO_REAL_NAME
X-Spam-Check-By: apache.org
Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194)
  by apache.org (qpsmtpd/0.28) with SMTP; Wed, 15 Sep 2004 06:25:05 -0700
Received: (qmail 61263 invoked by uid 1582); 15 Sep 2004 13:25:04 -0000
Date: 15 Sep 2004 13:25:04 -0000
Message-ID: <20040915132504.61262.qmail@minotaur.apache.org>
From: jorton@apache.org
To: httpd-dist-cvs@apache.org
Subject: cvs commit: httpd-dist Announcement2.html
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

jorton      2004/09/15 06:25:04

  Modified:    .        Announcement2.html
  Log:
  Convert to HTML.
  
  Revision  Changes    Path
  1.48      +38 -24    httpd-dist/Announcement2.html
  
  Index: Announcement2.html
  ===================================================================
  RCS file: /home/cvs/httpd-dist/Announcement2.html,v
  retrieving revision 1.47
  retrieving revision 1.48
  diff -d -w -u -r1.47 -r1.48
  --- Announcement2.html	1 Jul 2004 16:55:41 -0000	1.47
  +++ Announcement2.html	15 Sep 2004 13:25:03 -0000	1.48
  @@ -14,44 +14,58 @@
   >
   <img src="../../images/apache_sub.gif" alt="">
   
  -<h1>Apache HTTP Server 2.0.50 Released</h1>
  +<h1>Apache HTTP Server 2.0.51 Released</h1>
   
   <p>The Apache Software Foundation and the  The Apache HTTP Server Project are
  -   pleased to announce the release of version 2.0.50 of the Apache HTTP
  +   pleased to announce the release of version 2.0.51 of the Apache HTTP
      Server ("Apache").  This Announcement notes the significant changes
  -   in 2.0.50 as compared to 2.0.49. The Announcement is also available in
  -   German and Japanese from:</p>
  +   in 2.0.51 as compared to 2.0.50.</p>
   
  -<dl>
  -  <dd><a href="http://www.apache.org/dist/httpd/Announcement2.html.de"
  -    >http://www.apache.org/dist/httpd/Announcement2.html.de</a></dd>
  -  <dd><a href="http://www.apache.org/dist/httpd/Announcement2.html.ja"
  -    >http://www.apache.org/dist/httpd/Announcement2.html.ja</a></dd>
  -</dl>
  +<p>This version of Apache is principally a bug fix release.  Of
  +   particular note is that 2.0.51 addresses five security
  +   vulnerabilities:</p>
   
  -<p>This version of Apache is principally a bug fix release.  A summary of
  -   the bug fixes is given at the end of this document.  Of particular
  -   note is that 2.0.50 addresses two security vulnerabilities:</p>
  +<p>An input validation issue in IPv6 literal address parsing which
  +   can result in a negative length parameter being passed to memcpy.<br>
  +   <code>[<a
  +   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786"
  +   >CAN-2004-0786</a>]</code></p>
   
  -<p>A remotely triggered memory leak in http header parsing can allow a
  -   denial of service attack due to excessive memory consumption.<br>
  +<p>A buffer overflow in configuration file parsing could allow a
  +   local user to gain the privileges of a httpd child if the server
  +   can be forced to parse a carefully crafted .htaccess file.<br>
      <code>[<a
  -   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493"
  -   >CAN-2004-0493</a>]</code></p>
  +   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747"
  +   >CAN-2004-0747</a>]</code></p>
   
  +<p>A segfault in mod_ssl which can be triggered by a malicious
  +   remote server, if proxying to SSL servers has been configured.<br>
  +   <code>[<a
  +   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751"
  +   >CAN-2004-0751</a>]</code></p>
   
  -<p>Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a
  -   (trusted) client certificate subject DN which exceeds 6K in length.<br>
  +<p>A potential infinite loop in mod_ssl which could be triggered 
  +   given particular timing of a connection abort.<br>
      <code>[<a 
  -   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488"
  -   >CAN-2004-0488</a>]</code></p>
  +   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748"
  +   >CAN-2004-0748</a>]</code></p>
  +
  +<p>A segfault in mod_dav_fs which can be remotely triggered by an
  +   indirect lock refresh request.<br>
  +   <code>[<a
  +   href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809"
  +   >CAN-2004-0809</a>]</code></p>
   
  +<p>The Apache HTTP Server Project would like to thank Codenomicon for
  +   supplying copies of their "HTTP Test Tool" used to discover
  +   CAN-2004-0786, and to SITIC for reporting the discovery of
  +   CAN-2004-0747.</p>
   
   <p>This release is compatible with modules compiled for 2.0.42 and later
      versions.  We consider this release to be the best version of Apache
      available and encourage users of all prior versions to upgrade.</p>
      
  -<p>Apache 2.0.50 is available for download from</p>
  +<p>Apache 2.0.51 is available for download from</p>
   <dl>
     <dd><a href="http://httpd.apache.org/download.cgi">http://httpd.apache.org/download.cgi</a></dd>
   </dl>