httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r407230 - in /httpd/httpd/dist: Announcement1.3.html Announcement1.3.txt
Date Wed, 17 May 2006 12:21:50 GMT
Author: jim
Date: Wed May 17 05:21:50 2006
New Revision: 407230

URL: http://svn.apache.org/viewcvs?rev=407230&view=rev
Log:
Announce 1.3.36

Modified:
    httpd/httpd/dist/Announcement1.3.html
    httpd/httpd/dist/Announcement1.3.txt

Modified: httpd/httpd/dist/Announcement1.3.html
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement1.3.html?rev=407230&r1=407229&r2=407230&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement1.3.html (original)
+++ httpd/httpd/dist/Announcement1.3.html Wed May 17 05:21:50 2006
@@ -15,12 +15,12 @@
 <IMG SRC="../../images/apache_sub.gif" ALT="">
 
 
-<h1>Apache HTTP Server 1.3.35 Released</h1>
+<h1>Apache HTTP Server 1.3.36 Released</h1>
                                        
 <p>The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the release of version 1.3.35 of the Apache HTTP
-   Server ("Apache").  This Announcement notes the significant changes
-   in 1.3.35 as compared to 1.3.34.  This Announcement1.3 document may 
+   pleased to announce the release of version 1.3.36 of the Apache HTTP
+   Server ("Apache").  This Announcement notes the significant change
+   in 1.3.36 as compared to 1.3.35.  This Announcement1.3 document may 
    also be available in multiple languages at:</p> 
 
 <dl>
@@ -28,26 +28,28 @@
       >http://www.apache.org/dist/httpd/</a></dd>
 </dl>
 
-<p>This version of Apache is principally a bug and security fix release.
+<p>This version of Apache is principally a bug fix release.
    A partial summary of the bug fixes is given at the end of this document.
    A full listing of changes can be found in the CHANGES file.  Of
-   particular note is that 1.3.35 addresses and fixes 1 potential
-   security issue:</p>
+   particular note is that 1.3.36 addresses and fixes 1 major
+   regression introduced in 1.3.35:</p>
 
 <dl>
-<dt>CVE-2005-3352 (cve.mitre.org)</dt>
+<dt>Include directive regression</dt>
 
- <dd>mod_imap: Escape untrusted referer header before outputting in HTML
-       to avoid potential cross-site scripting.  Change also made to
-       ap_escape_html so we escape quotes.  Reported by JPCERT</dd>
+ <dd>Use of wildcards in the "Include" directive now works
+       again. The new feature introduced in 1.3.35 (Allow usage
+       of the "Include" configuration directive within
+       previously "Include"d files) has been removed in
+       the meantime.</dd>
 </dl>
 
-<p>We consider Apache 1.3.35 to be the best version of Apache 1.3 available
+<p>We consider Apache 1.3.36 to be the best version of Apache 1.3 available
    and we strongly recommend that users of older versions, especially of
    the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
    releases will be made in the 1.2.x family.</p>
 
-<p>Apache 1.3.35 is available for download from</p>
+<p>Apache 1.3.36 is available for download from</p>
 <dl>
     <dd><a href="http://httpd.apache.org/download.cgi"
           >http://httpd.apache.org/download.cgi</a></dd>
@@ -104,7 +106,7 @@
    Users on Unix and non-Unix platforms are strongly encouraged to move up to 
    Apache 2.0/2.2 for better performance, stability and security on their
    platforms. We consider Apache 2.0.58 and 2.2.2 to be the best available
-   versions at the time of this release.  We offer Apache 1.3.35 as the best
+   versions at the time of this release.  We offer Apache 1.3.36 as the best
    legacy  version of Apache 1.3 available, and strongly recommend that users
    who require compatibility with existing Apache 1.3 installations should
    upgrade as soon as possible.  Users should first consider upgrading to
@@ -114,26 +116,23 @@
    of the servers on the Internet are running Apache or one of its
    variants.</p>
 
-<h2>Apache 1.3.35 Major changes</h2>
+<h2>Apache 1.3.36 Major changes</h2>
 <h3>Security vulnerabilities</h3>
 
 <p>
-   The main security vulnerabilities addressed in 1.3.35 are:
+   The main security vulnerabilities addressed in 1.3.36 are:
 </p>
 <dl>
-<dt>CVE-2005-3352 (cve.mitre.org)</dt>
+<dt>None</dt>
 
- <dd>mod_imap: Escape untrusted referer header before outputting in HTML
-       to avoid potential cross-site scripting.  Change also made to
-       ap_escape_html so we escape quotes.  Reported by JPCERT</dd>
+ <dd>n/a</dd>
 </dl>
 <h3>New features</h3>
 <p>
    New features that relate to all platforms:
 </p>
 <ul>
-  <li>core: Allow usage of the "Include" configuration directive within
-       previously "Include"d files.</li>
+  <li>None</li>
 </ul>
 <p>
    New features that relate to specific platforms:
@@ -144,13 +143,15 @@
 <p>
 <h3>Bugs fixed</h3>
 <p>
-   The following bugs were found in Apache 1.3.34 (or earlier) and have been fixed in
-   Apache 1.3.35:
+   The following bugs were found in Apache 1.3.35 (or earlier) and have been fixed in
+   Apache 1.3.36:
 </p>
 <ul>
-     <li>HTML-escape the Expect error message.</li>
-     <li>mod_cgi: Remove block on OPTIONS method so that scripts can
-     respond to OPTIONS directly rather than via server default</li>
+     <li>Reverted SVN rev #396294 due to unwanted regression.
+       The new feature introduced in 1.3.35 (Allow usage of the
+       "Include" configuration directive within previously "Include"d
+       files) has been removed in the meantime.
+       (http://svn.apache.org/viewcvs?rev=396294&view=rev)</li>
 </ul>
 
 </BODY>

Modified: httpd/httpd/dist/Announcement1.3.txt
URL: http://svn.apache.org/viewcvs/httpd/httpd/dist/Announcement1.3.txt?rev=407230&r1=407229&r2=407230&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement1.3.txt (original)
+++ httpd/httpd/dist/Announcement1.3.txt Wed May 17 05:21:50 2006
@@ -1,28 +1,29 @@
 
-                   Apache HTTP Server 1.3.35 Released
+                   Apache HTTP Server 1.3.36 Released
 
    The Apache Software Foundation and The Apache HTTP Server Project are
-   pleased to announce the release of version 1.3.35 of the Apache HTTP
-   Server ("Apache").  This Announcement notes the significant changes
-   in 1.3.35 as compared to 1.3.34.
+   pleased to announce the release of version 1.3.36 of the Apache HTTP
+   Server ("Apache").  This Announcement notes the significant change
+   in 1.3.36 as compared to 1.3.35.
 
-   This version of Apache is principally a bug and security fix release.
-   A partial summary of the bug fixes is given at the end of this document.
+   This version of Apache is principally a bug fix release. A partial
+   summary of the bug fixes is given at the end of this document.
    A full listing of changes can be found in the CHANGES file.  Of
-   particular note is that 1.3.35 addresses and fixes 1 potential
-   security issue:
+   particular note is that 1.3.36 addresses and fixes 1 major
+   regression introduced in 1.3.35:
 
-     o CVE-2005-3352 (cve.mitre.org)
-       mod_imap: Escape untrusted referer header before outputting in HTML
-       to avoid potential cross-site scripting.  Change also made to
-       ap_escape_html so we escape quotes.  Reported by JPCERT
+     o Use of wildcards in the "Include" directive now works
+       again. The new feature introduced in 1.3.35 (Allow usage
+       of the "Include" configuration directive within
+       previously "Include"d files) has been removed in
+       the meantime.
 
-   We consider Apache 1.3.35 to be the best version of Apache 1.3 available
+   We consider Apache 1.3.36 to be the best version of Apache 1.3 available
    and we strongly recommend that users of older versions, especially of
    the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
    releases will be made in the 1.2.x family.
 
-   Apache 1.3.35 is available for download from:
+   Apache 1.3.36 is available for download from:
    
        http://httpd.apache.org/download.cgi
 
@@ -70,20 +71,17 @@
    Users on Unix and non-Unix platforms are strongly encouraged to move up to 
    Apache 2.0/2.2 for better performance, stability and security on their
    platforms. We consider Apache 2.0.58 and 2.2.2 to be the best available
-   versions at the time of this release.  We offer Apache 1.3.35 as the best
+   versions at the time of this release.  We offer Apache 1.3.36 as the best
    legacy  version of Apache 1.3 available, and strongly recommend that users
    who require compatibility with existing Apache 1.3 installations should
    upgrade as soon as possible.  Users should first consider upgrading to
    the current release of Apache 2 instead.
 
-                     Apache 1.3.35 Major changes
+                     Apache 1.3.36 Major changes
 
   Security vulnerabilities
 
-     * SECURITY: CVE-2005-3352 (cve.mitre.org)
-       mod_imap: Escape untrusted referer header before outputting in HTML
-       to avoid potential cross-site scripting.  Change also made to
-       ap_escape_html so we escape quotes.  Reported by JPCERT.
+     * None
 
   New features
 
@@ -93,15 +91,15 @@
 
    New features that relate to all platforms:
 
-     * core: Allow usage of the "Include" configuration directive within
-       previously "Include"d files.
+     * None
 
   Bugs fixed
 
-   The following noteworthy bugs were found in Apache 1.3.34 (or earlier)
-   and have been fixed in Apache 1.3.35:
-
-     * HTML-escape the Expect error message.
+   The following noteworthy bug(s) were found in Apache 1.3.35 (or earlier)
+   and have been fixed in Apache 1.3.36:
 
-     * mod_cgi: Remove block on OPTIONS method so that scripts can
-     respond to OPTIONS directly rather than via server default.
+     * Reverted SVN rev #396294 due to unwanted regression.
+       The new feature introduced in 1.3.35 (Allow usage of the
+       "Include" configuration directive within previously "Include"d
+       files) has been removed in the meantime.
+       (http://svn.apache.org/viewcvs?rev=396294&view=rev)



Mime
View raw message