httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r320829 - in /httpd/httpd/dist: Announcement1.3.html Announcement1.3.txt
Date Thu, 13 Oct 2005 17:52:37 GMT
Author: jim
Date: Thu Oct 13 10:52:34 2005
New Revision: 320829

URL: http://svn.apache.org/viewcvs?rev=320829&view=rev
Log:
Preload 1.3.34 Announcement

Modified:
    httpd/httpd/dist/Announcement1.3.html
    httpd/httpd/dist/Announcement1.3.txt

Modified: httpd/httpd/dist/Announcement1.3.html
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement1.3.html?rev=320829&r1=320828&r2=320829&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement1.3.html (original)
+++ httpd/httpd/dist/Announcement1.3.html Thu Oct 13 10:52:34 2005
@@ -15,45 +15,34 @@
 <IMG SRC="../../images/apache_sub.gif" ALT="">
 
 
-<h1>Apache HTTP Server 1.3.33 Released</h1>
+<h1>Apache HTTP Server 1.3.34 Released</h1>
                                        
 <p> The Apache Software Foundation and The Apache HTTP Server Project are
-   pleased to announce the release of version 1.3.33 of the Apache HTTP
+   pleased to announce the release of version 1.3.34 of the Apache HTTP
    Server ("Apache").  This Announcement notes the significant changes
-   in 1.3.33 as compared to 1.3.31 (1.3.32 was not formally released).
-   The Announcement is also available in German and Japanese from:</p>
-<dl>   
-  <dd><a href="http://www.apache.org/dist/httpd/Announcement1.3.html.de"
-          >http://www.apache.org/dist/httpd/Announcement1.3.html.de</a></dd>
-<!--  <dd><a href="http://www.apache.org/dist/httpd/Announcement1.3.txt.es"
-    >http://www.apache.org/dist/httpd/Announcement1.3.txt.es</a></dd> -->
-  <dd><a href="http://www.apache.org/dist/httpd/Announcement1.3.txt.ja"
-    >http://www.apache.org/dist/httpd/Announcement1.3.txt.ja</a></dd>
-</dl>
+   in 1.3.34 as compared to 1.3.33.</p>
 
 <p>This version of Apache is principally a bug and security fix release.
    A partial summary of the bug fixes is given at the end of this document.
    A full listing of changes can be found in the CHANGES file.  Of
-   particular note is that 1.3.33 addresses and fixes 2 potential
+   particular note is that 1.3.34 addresses and fixes 2 potential
    security issues:</p>
 
 <ul>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940">
-       CAN-2004-0940 (cve.mitre.org)</a><br>
-       Fix potential buffer overflow with escaped characters in
-       SSI tag string.</li>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492">
-       CAN-2004-0492 (cve.mitre.org)</a><br>
-       Reject responses from a remote server if sent an invalid
-       (negative) Content-Length.</li>
+<li>If a request contains both Transfer-Encoding and 
+       Content-Length headers, remove the Content-Length, mitigating some 
+       HTTP Request Splitting/Spoofing attacks.</li>
+
+<li>Added TraceEnable [on|off|extended] per-server directive to alter
+       the behavior of the TRACE method.</li>
 </ul>
 
-<p>We consider Apache 1.3.33 to be the best version of Apache 1.3 available
+<p>We consider Apache 1.3.34 to be the best version of Apache 1.3 available
    and we strongly recommend that users of older versions, especially of
    the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
    releases will be made in the 1.2.x family.</p>
 
-<p>Apache 1.3.33 is available for download from</p>
+<p>Apache 1.3.34 is available for download from</p>
 <dl>
     <dd><a href="http://httpd.apache.org/download.cgi">http://httpd.apache.org/download.cgi</a></dd>
 </dl>
@@ -103,73 +92,54 @@
 
 <p>Apache 2.0 has been structured for multiple operating systems from its 
    inception, by introducing the Apache Portability Library and MPM modules.
-   Users on non-Unix platforms are strongly encouraged to move up to 
+   Users on Unix and non-Unix platforms are strongly encouraged to move up to 
    Apache 2.0 for better performance, stability and security on their
-   platforms.</p>
+   platforms. We consider Apache 2.0.55 to be the best available version at the
+   time of this release.  We offer Apache 1.3.34 as the best legacy version
+   of Apache 1.3 available, and strongly recommend that users who require
+   compatibility with existing Apache 1.3 installations should upgrade
+   as soon as possible.  Users should first consider upgrading to the
+   current release of Apache 2 instead.</p>
 
 <p>Apache is the most popular web server in the known universe; over half
    of the servers on the Internet are running Apache or one of its
    variants.</p>
 
-<h2>Apache 1.3.33 Major changes</h2>
+<h2>Apache 1.3.34 Major changes</h2>
 <h3>Security vulnerabilities</h3>
 
 <p>
-   The main security vulnerabilities addressed in 1.3.33 are:
+   The main security vulnerabilities addressed in 1.3.34 are:
 </p>
 <ul>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940">
-       CAN-2004-0940 (cve.mitre.org)</a><br>
-       Fix potential buffer overflow with escaped characters in
-       SSI tag string.</li>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492">
-       CAN-2004-0492 (cve.mitre.org)</a><br>
-       Reject responses from a remote server if sent an invalid
-       (negative) Content-Length.</li>
+<li>If a request contains both Transfer-Encoding and 
+       Content-Length headers, remove the Content-Length, mitigating some 
+       HTTP Request Splitting/Spoofing attacks.</li>
+
+<li>Added TraceEnable [on|off|extended] per-server directive to alter
+       the behavior of the TRACE method.</li>
 </ul>
 <h3>New features</h3>
 <p>
    New features that relate to specific platforms:
 </p>
 <ul>
-  <li>Win32: Improve error reporting after a failed attempt to spawn a 
-       piped log process or rewrite map process.</li>
+  <li>None</li>
 </ul>
 <p>
    New features that relate to specific platforms:
 </p>
 <ul>
-  <li>Added new compile-time flag: <code>UCN_OFF_HONOR_PHYSICAL_PORT</code>.
-       It controls how <code>UseCanonicalName Off</code> determines the port
value if
-       the client doesn't provide one in the <code>Host</code> header. If defined
during
-       compilation, <code>UseCanonicalName Off</code> will use the physical port
number
-       to generate the canonical name. If not defined, it tries the current
-       <code>Port</code> value followed by the default port for the current scheme.</li>
+  <li>None</li>
 </ul>
 <p>
 <h3>Bugs fixed</h3>
 <p>
-   The following bugs were found in Apache 1.3.31 (or earlier) and have been fixed in
-   Apache 1.3.33:
+   The following bugs were found in Apache 1.3.33 (or earlier) and have been fixed in
+   Apache 1.3.34:
 </p>
 <ul>
-     <li><code>mod_rewrite</code>: Fix query string handling for proxied
URLs. PR 14518.</li>
-                                                                                
-     <li><code>mod_rewrite</code>: Fix 0 bytes write into random memory
position.
-       PR 31036.</li>
-
-     <li><code>mod_digest</code>: Fix nonce string calculation since 1.3.31
which
-       would force re-authentication for every connection if
-       <code>AuthDigestRealmSeed</code> was not configured.  PR 30920.</li>
-
-     <li>Fix trivial bug in <code>mod_log_forensic</code> that caused the
child
-       to seg fault when certain invalid requests were fired at it with
-       forensic logging is enabled.  PR 29313.</li>
-
-     <li>No longer breaks mod_dav, frontpage and others.  Repair a patch
-       in 1.3.31 which prevented discarding the request body for requests
-       that will be keptalive but are not currently keptalive. PR 29237.</li>
-</li>
+     <li><code>mod_digest</code>: Fix another nonce string calculation
issue.</li>
 </ul>
 
 </BODY>

Modified: httpd/httpd/dist/Announcement1.3.txt
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement1.3.txt?rev=320829&r1=320828&r2=320829&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement1.3.txt (original)
+++ httpd/httpd/dist/Announcement1.3.txt Thu Oct 13 10:52:34 2005
@@ -1,35 +1,35 @@
 
-                   Apache HTTP Server 1.3.33 Released
+                   Apache HTTP Server 1.3.34 Released
 
    The Apache Software Foundation and The Apache HTTP Server Project are
-   pleased to announce the release of version 1.3.33 of the Apache HTTP
+   pleased to announce the release of version 1.3.34 of the Apache HTTP
    Server ("Apache").  This Announcement notes the significant changes
-   in 1.3.33 as compared to 1.3.31 (1.3.32 was not formally released).
+   in 1.3.34 as compared to 1.3.33.
+
    The Announcement is also available in German and Japanese from:
 
-        http://www.apache.org/dist/httpd/Announcement1.3.txt.de
-        http://www.apache.org/dist/httpd/Announcement1.3.txt.ja
+        http://www.apache.org/dist/httpd/Announcement.txt.de
+        http://www.apache.org/dist/httpd/Announcement.txt.ja
 
    This version of Apache is principally a bug and security fix release.
    A partial summary of the bug fixes is given at the end of this document.
    A full listing of changes can be found in the CHANGES file.  Of
-   particular note is that 1.3.33 addresses and fixes 2 potential
+   particular note is that 1.3.34 addresses and fixes 2 potential
    security issues:
 
-     o CAN-2004-0940 (cve.mitre.org)
-       Fix potential buffer overflow with escaped characters in
-       SSI tag string.
-
-     o CAN-2004-0492 (cve.mitre.org)
-       Reject responses from a remote server if sent an invalid
-       (negative) Content-Length.
+     o If a request contains both Transfer-Encoding and 
+       Content-Length headers, remove the Content-Length, mitigating some 
+       HTTP Request Splitting/Spoofing attacks.
+
+     o Added TraceEnable [on|off|extended] per-server directive to alter
+       the behavior of the TRACE method.
 
-   We consider Apache 1.3.33 to be the best version of Apache 1.3 available
+   We consider Apache 1.3.34 to be the best version of Apache 1.3 available
    and we strongly recommend that users of older versions, especially of
    the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
    releases will be made in the 1.2.x family.
 
-   Apache 1.3.33 is available for download from:
+   Apache 1.3.34 is available for download from:
    
        http://httpd.apache.org/download.cgi
 
@@ -74,56 +74,45 @@
 
    Apache 2.0 has been structured for multiple operating systems from its 
    inception, by introducing the Apache Portability Library and MPM modules.
-   Users on non-Unix platforms are strongly encouraged to move up to 
+   Users on Unix and non-Unix platforms are strongly encouraged to move up to 
    Apache 2.0 for better performance, stability and security on their
-   platforms.
+   platforms. We consider Apache 2.0.55 to be the best available version at
+   the time of this release.  We offer Apache 1.3.34 as the best legacy
+   version of Apache 1.3 available, and strongly recommend that users who
+   require compatibility with existing Apache 1.3 installations should
+   upgrade as soon as possible.  Users should first consider upgrading to
+   the current release of Apache 2 instead.
 
-                     Apache 1.3.33 Major changes
+                     Apache 1.3.34 Major changes
 
   Security vulnerabilities
 
-     * CAN-2004-0940 (cve.mitre.org)
-       Fix potential buffer overflow with escaped characters in
-       SSI tag string.
-
-     * CAN-2004-0492 (cve.mitre.org)
-       Reject responses from a remote server if sent an invalid
-       (negative) Content-Length.
+     * SECURITY: core: If a request contains both Transfer-Encoding and 
+       Content-Length headers, remove the Content-Length, mitigating some 
+       HTTP Request Splitting/Spoofing attacks.  This has no impact on
+       mod_proxy_http, yet affects any module which supports chunked
+       encoding yet fails to prefer T-E: chunked over the Content-Length
+       purported value.
+
+     * Added TraceEnable [on|off|extended] per-server directive to alter
+       the behavior of the TRACE method.  This addresses a flaw in proxy
+       conformance to RFC 2616 - previously the proxy server would accept
+       a TRACE request body although the RFC prohibited it.  The default
+       remains 'TraceEnable on'.
 
   New features
 
    New features that relate to specific platforms:
 
-     * Win32: Improve error reporting after a failed attempt to spawn a 
-       piped log process or rewrite map process.
+     * None
 
    New features that relate to all platforms:
 
-     * Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT.
-       It controls how UseCanonicalName Off determines the port value if
-       the client doesn't provide one in the Host header. If defined during
-       compilation, UseCanonicalName Off will use the physical port number
-       to generate the canonical name. If not defined, it tries the current
-       Port value followed by the default port for the current scheme.
+     * None
 
   Bugs fixed
 
-   The following noteworthy bugs were found in Apache 1.3.31 (or earlier)
-   and have been fixed in Apache 1.3.33:
+   The following noteworthy bugs were found in Apache 1.3.33 (or earlier)
+   and have been fixed in Apache 1.3.34:
 
-     * mod_rewrite: Fix query string handling for proxied URLs. PR 14518.
-                                                                                
-     * mod_rewrite: Fix 0 bytes write into random memory position.
-       PR 31036.
-
-     * mod_digest: Fix nonce string calculation since 1.3.31 which
-       would force re-authentication for every connection if
-       AuthDigestRealmSeed was not configured.  PR 30920.
-
-     * Fix trivial bug in mod_log_forensic that caused the child
-       to seg fault when certain invalid requests were fired at it with
-       forensic logging is enabled.  PR 29313.
-
-     * No longer breaks mod_dav, frontpage and others.  Repair a patch
-       in 1.3.31 which prevented discarding the request body for requests
-       that will be keptalive but are not currently keptalive. PR 29237.
+     * mod_digest: Fix another nonce string calculation issue.



Mime
View raw message