httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From c...@apache.org
Subject svn commit: r396592 - in /httpd/httpd/dist: Announcement2.0.html Announcement2.0.txt
Date Mon, 24 Apr 2006 16:02:10 GMT
Author: colm
Date: Mon Apr 24 09:01:45 2006
New Revision: 396592

URL: http://svn.apache.org/viewcvs?rev=396592&view=rev
Log:
Finalise the announcement texts

Modified:
    httpd/httpd/dist/Announcement2.0.html
    httpd/httpd/dist/Announcement2.0.txt

Modified: httpd/httpd/dist/Announcement2.0.html
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement2.0.html?rev=396592&r1=396591&r2=396592&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.0.html (original)
+++ httpd/httpd/dist/Announcement2.0.html Mon Apr 24 09:01:45 2006
@@ -14,63 +14,35 @@
 >
 <img src="../../images/apache_sub.gif" alt="">
 
-<h1>Apache HTTP Server 2.0.55 Released</h1>
+<h1>Apache HTTP Server 2.0.57 Released</h1>
 
 <p>The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the release of version 2.0.55 of the Apache HTTP
-   Server ("Apache").  This Announcement notes the significant changes
-   in 2.0.55 as compared to 2.0.54.  This Announcement2.0 document may 
-   also be available in multiple languages at:</p>
+   pleased to announce the legacy release of version 2.0.57 of the Apache HTTP
+   Server ("Apache").  This Announcement notes the significant changes in
+   2.0.57 as compared to 2.0.55.  This Announcement2.0 document may also be
+   available in multiple languages at:</p>
 
 <dl>
 <dd><a href="http://www.apache.org/dist/httpd/"
       >http://www.apache.org/dist/httpd/</a></dd>
 </dl>
 
-<p>This version of Apache is principally a security release.  The
-   following potential security flaws are addressed, the first three 
-   of which address several classes of HTTP Request and Response 
-   Splitting/Spoofing attacks;</p>
+<p>This version of Apache is principally a bug and security fix release.
+   The following potential security flaws are addressed;</p>
 
 <dl>
-<dt>CAN-2005-2088 (cve.mitre.org)</dt>
+<dt>CVE-2005-3357 (cve.mitre.org)</dt>
 
- <dd>core: If a request contains both Transfer-Encoding and Content-Length
-     headers, remove the Content-Length.</dd>
-
- <dd>proxy_http: Correctly handle the Transfer-Encoding and Content-Length
-     request headers.  Discard the request Content-Length whenever chunked
-     T-E is used, always passing one of either C-L or T-E chunked whenever 
-     the request includes a request body.</dd>
-
-<dt>Unassigned</dt>
-
- <dd>proxy_http: If a response contains both Transfer-Encoding and a 
-     Content-Length, remove the Content-Length and don't reuse the
-     connection.</dd>
-
-<dt>CAN-2005-2700 (cve.mitre.org)</dt>
-
- <dd>mod_ssl: Fix a security issue where "SSLVerifyClient" was not
-     enforced in per-location context if "SSLVerifyClient optional"
-     was configured in the vhost configuration.</dd>
-
-<dt>CAN-2005-2491 (cve.mitre.org)</dt>
- 
- <dd>pcre: Fix integer overflows in PCRE in quantifier parsing which 
-     could be triggered by a local user through use of a carefully
-     crafted regex in an .htaccess file.</dd>
-
-<dt>CAN-2005-2728 (cve.mitre.org)</dt>
-
- <dd>Fix cases where the byterange filter would buffer responses
-     into memory.</dd>
-
-<dt>CAN-2005-1268 (cve.mitre.org)</dt>
-
- <dd>mod_ssl: Fix off-by-one overflow whilst printing CRL information
-     at "LogLevel debug" which could be triggered if configured 
-     to use a "malicious" CRL.</dd>
+ <dd>mod_ssl: When configured with an SSL vhost with access control and a
+     custom error 400 error page, mod_ssl allows remote attackers to cause
+     a denial of service (application crash) via a non-SSL request to an
+     SSL port, which triggers a NULL pointer dereference.</dd>
+
+<dt>CVE-2005-3352 (cve.mitre.org)</dt>
+
+ <dd>mod_imap: Cross-site scripting (XSS) vulnerability which allows remote
+     attackers to inject arbitrary web script or HTML via the Referer when
+     using image maps.</dd>
 
 </dl>
 
@@ -78,30 +50,26 @@
    issues and vulnerabilities for the responsible reporting and
    thorough analysis of these vulnerabilities.</p>
 
-<p>This release further addresses a number of cross-platform bugs,
-   as well as specific issues on OS/X 10.4, Win32, AIX, and across
-   all EBCDIC platforms, and adds compatibility with OpenSSL 0.9.8.</p>
-
 <p>This release is compatible with modules compiled for 2.0.42 and
    later versions.  We consider this release to be the best version
    of Apache available and encourage users of all prior versions to
    upgrade.</p>
 
 <p>This release includes the Apache Portable Runtime library suite
-   release version 0.9.7, bundled with the tar and zip distributions.
+   release version 0.9.12, bundled with the tar and zip distributions.
    These libraries; libapr, libaprutil, and on Win32, libapriconv must
    all be updated to ensure binary compatibility and address many
    known platform bugs.</p>
 
-<p>Apache HTTP Server 2.0.55 is available for download from</p>
+<p>Apache HTTP Server 2.0.57 is available for download from</p>
 <dl>
   <dd><a href="http://httpd.apache.org/download.cgi"
         >http://httpd.apache.org/download.cgi</a></dd>
 </dl>
 
 <p>Please see the CHANGES_2.0 file, linked from the above page, for
-   a full list of changes.  A condensed list, CHANGES_2.0.55 provides
-   the complete list of changes since 2.0.54, including changes to
+   a full list of changes.  A condensed list, CHANGES_2.0.57 provides
+   the complete list of changes since 2.0.55, including changes to
    the APR suite of libraries.</p>
    
 <p>Apache 2.0 offers numerous enhancements, improvements, and performance
@@ -118,6 +86,19 @@
    they depend on) that you will be using are thread-safe.  Please 
    refer to the documentation of these modules and libraries to obtain 
    this information.</p>
+
+<p>Apache 2.2 offers numerous enhancements, improvements, and performance
+   boosts over the 2.0 codebase. For an overview of new features introduced
+   after 2.0 please see</p>
+<dl>
+    <dd><a href="http://httpd.apache.org/docs/2.2/new_features_2_2.html"
+          >http://httpd.apache.org/docs/2.2/new_features_2_2.html</a></dd>
+</dl>
+
+<p>We consider Apache 2.2 to be the best available version at the time of
+   this release.  We offer Apache 2.0.57 as the best legacy version of Apache
+   2.0 available. Users should first consider upgrading to the current release
+   of Apache 2.2 instead.</p>
 
 </body>
 </html>

Modified: httpd/httpd/dist/Announcement2.0.txt
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement2.0.txt?rev=396592&r1=396591&r2=396592&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.0.txt (original)
+++ httpd/httpd/dist/Announcement2.0.txt Mon Apr 24 09:01:45 2006
@@ -68,7 +68,7 @@
 
      http://httpd.apache.org/docs/2.2/new_features_2_2.html
 
-   We consider Apache 2.2.2 to be the best available version at the time of
+   We consider Apache 2.2 to be the best available version at the time of
    this release.  We offer Apache 2.0.57 as the best legacy version of Apache
    2.0 available. Users should first consider upgrading to the current release
    of Apache 2.2 instead.



Mime
View raw message