httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m..@apache.org
Subject svn commit: r426206 - in /httpd/httpd/dist: Announcement1.3.html Announcement1.3.txt Announcement2.0.html Announcement2.0.txt Announcement2.2.html Announcement2.2.txt
Date Thu, 27 Jul 2006 19:31:00 GMT
Author: mjc
Date: Thu Jul 27 12:30:59 2006
New Revision: 426206

URL: http://svn.apache.org/viewvc?rev=426206&view=rev
Log:
Add announcements ready for wrowe to sync when everything is in place; these
describe the security issue CVE-2006-3747 which is the main reason for these
updates

Modified:
    httpd/httpd/dist/Announcement1.3.html
    httpd/httpd/dist/Announcement1.3.txt
    httpd/httpd/dist/Announcement2.0.html
    httpd/httpd/dist/Announcement2.0.txt
    httpd/httpd/dist/Announcement2.2.html
    httpd/httpd/dist/Announcement2.2.txt

Modified: httpd/httpd/dist/Announcement1.3.html
URL: http://svn.apache.org/viewvc/httpd/httpd/dist/Announcement1.3.html?rev=426206&r1=426205&r2=426206&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement1.3.html (original)
+++ httpd/httpd/dist/Announcement1.3.html Thu Jul 27 12:30:59 2006
@@ -15,43 +15,80 @@
 <IMG SRC="../../images/apache_sub.gif" ALT="">
 
 
-<h1>Apache HTTP Server 1.3.36 Released</h1>
+<h1>Apache HTTP Server 1.3.37 Released</h1>
                                        
 <p>The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the release of version 1.3.36 of the Apache HTTP
+   pleased to announce the release of version 1.3.37 of the Apache HTTP
    Server ("Apache").  This Announcement notes the significant change
-   in 1.3.36 as compared to 1.3.35.</p>
+   in 1.3.37 as compared to 1.3.36.</p>
 
-<p>This version of Apache is principally a bug fix release.
-   A partial summary of the bug fixes is given at the end of this document.
-   A full listing of changes can be found in the CHANGES file.  Of
-   particular note is that 1.3.36 addresses and fixes 1 major
-   regression introduced in 1.3.35:</p>
+<p>This version of Apache is security fix release only.</p>
 
+<p><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747">CVE-2006-3747:</a>
+An off-by-one flaw exists in the Rewrite module, mod_rewrite,
+as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
+</p>
+
+<p>Depending on the manner in which Apache HTTP Server was compiled, this software
+defect may result in a vulnerability which, in combination with certain types of
+Rewrite rules in the web server configuration files, could be triggered
+remotely.  For vulnerable builds, the nature of the vulnerability can be denial
+of service (crashing of web server processes) or potentially allow arbitrary
+code execution.  This issue has been rated as having important security impact
+by the Apache HTTP Server Security Team.</p>
+
+<p>This flaw does not affect a default installation of Apache HTTP Server.
+Users who do not use, or have not enabled, the Rewrite module mod_rewrite are
+not affected by this issue.  This issue only affects installations using a
+Rewrite rule with the following characteristics:</p>
+ 
+<ul><li>The RewriteRule allows the attacker to control the initial part of
+  the rewritten URL (for example if the substitution URL starts with $1)</li>
+<li>The RewriteRule flags do NOT include any of the following flags:
+  Forbidden (F), Gone (G), or NoEscape (NE).</li></ul>
+
+<p>Please note that ability to exploit this issue is dependent on the
+stack layout for a particular compiled version of mod_rewrite. If the
+compiler used to compile Apache HTTP Server has added padding to the
+stack immediately after the buffer being overwritten, it will not be
+possible to exploit this issue, and Apache HTTP Server will continue
+operating normally.</p>
+
+<p>The Apache HTTP Server project recommends that all users who have
+built Apache from source apply the patch or upgrade to the latest
+level and rebuild.  Providers of Apache-based web servers in
+pre-compiled form will be able to determine if this vulnerability
+applies to their builds.  That determination has no bearing on any
+other builds of Apache HTTP Server, and Apache HTTP Server users are
+urged to exercise caution and apply patches or upgrade unless they
+have specific instructions from the provider of their web server.
+Statements from vendors can be obtained from the US-CERT vulnerability
+note for this issue at:
 <dl>
-<dt>Include directive regression</dt>
+<dd>
+<a
+href="http://www.kb.cert.org/vuls/id/395412">http://www.kb.cert.org/vuls/id/395412</a>
+</dd></dl>
 
- <dd>Use of wildcards in the "Include" directive now works
-       again. The new feature introduced in 1.3.35 (allow usage
-       of the "Include" configuration directive within
-       previously "Include"d files) has been removed in
-       the meantime.</dd>
-</dl>
+<p>The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the
+responsible reporting of this vulnerability.</p>
 
-<p>Please see the CHANGES_1.3 file in this same directory for a full list
-   of changes.</p>
 
-<p>Apache 1.3.36 is the current stable release of the Apache 1.3 family.
+<!--<p>Please see the CHANGES_1.3 file in this same directory for a full list
+   of changes.</p>-->
+
+<p>Apache 1.3.37 is the current stable release of the Apache 1.3 family.
    We strongly recommend that users of all earlier versions, including 
    1.3 family release, upgrade to to the current 2.2 version as soon
    as possible.</p>
 
-<p>We recommend Apache 1.3.36 version for users who require a third party
+<p>We recommend Apache 1.3.37 version for users who require a third party
    module that is not yet available as an Apache 2.x module.  Modules
    compiled for Apache 2.x are not compatible with Apache 1.3, and modules
    compiled for Apache 1.3 are not compatible with Apache 2.x.</p>
 
-<p>Apache 1.3.36 is available for download from</p>
+<p>Apache 1.3.37 is available for download from</p>
 <dl>
     <dd><a href="http://httpd.apache.org/download.cgi"
           >http://httpd.apache.org/download.cgi</a></dd>
@@ -91,18 +128,20 @@
    of the servers on the Internet run Apache HTTP Server, or one of its
    variants.</p>
 
-<h2>Apache 1.3.36 Major changes</h2>
-<!--
+<h2>Apache 1.3.37 Major changes</h2>
+
 <h3>Security vulnerabilities</h3>
 
 <p>
-   The main security vulnerabilities addressed in 1.3.36 are:
+   The main security vulnerabilities addressed in 1.3.37 are:
 </p>
 <dl>
-<dt>None</dt>
-
- <dd>n/a</dd>
+<dt>SECURITY: CVE-2006-3747 (cve.mitre.org)</dt>
+<dd>mod_rewrite: Fix an off-by-one security problem in the ldap scheme
+handling.  For some RewriteRules this could lead to a pointer being
+written out of bounds.  Reported by Mark Dowd of McAfee Avert Labs.</dd>
 </dl>
+<!--
 <h3>New features</h3>
 <p>
    New features that relate to all platforms:
@@ -117,19 +156,13 @@
   <li>None</li>
 </ul>
 <p>
--->
 <h3>Bugs fixed</h3>
 <p>
    The following bugs were found in Apache 1.3.35 (or earlier) and have been fixed in
    Apache 1.3.36:
 </p>
 <ul>
-     <li>Reverted SVN rev #396294 due to unwanted regression.
-       The new feature introduced in 1.3.35 (Allow usage of the
-       "Include" configuration directive within previously "Include"d
-       files) has been removed in the meantime.
-       (http://svn.apache.org/viewcvs?rev=396294&view=rev)</li>
 </ul>
-
+-->
 </BODY>
 </HTML>

Modified: httpd/httpd/dist/Announcement1.3.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/dist/Announcement1.3.txt?rev=426206&r1=426205&r2=426206&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement1.3.txt (original)
+++ httpd/httpd/dist/Announcement1.3.txt Thu Jul 27 12:30:59 2006
@@ -1,82 +1,106 @@
+                       Apache HTTP Server 1.3.37 Released
 
-                   Apache HTTP Server 1.3.36 Released
+   The Apache Software Foundation and the Apache HTTP Server Project are
+   pleased to announce the release of version 1.3.37 of the Apache HTTP
+   Server ("Apache"). This Announcement notes the significant change in
+   1.3.37 as compared to 1.3.36.
+
+   This version of Apache is security fix release only.
+
+   CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
+   mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
+   and 2.2 since 2.2.0.
+
+   Depending on the manner in which Apache HTTP Server was compiled, this
+   software defect may result in a vulnerability which, in combination with
+   certain types of Rewrite rules in the web server configuration files,
+   could be triggered remotely. For vulnerable builds, the nature of the
+   vulnerability can be denial of service (crashing of web server processes)
+   or potentially allow arbitrary code execution. This issue has been rated
+   as having important security impact by the Apache HTTP Server Security
+   Team.
+
+   This flaw does not affect a default installation of Apache HTTP Server.
+   Users who do not use, or have not enabled, the Rewrite module mod_rewrite
+   are not affected by this issue. This issue only affects installations
+   using a Rewrite rule with the following characteristics:
+
+     * The RewriteRule allows the attacker to control the initial part of the
+       rewritten URL (for example if the substitution URL starts with $1)
+     * The RewriteRule flags do NOT include any of the following flags:
+       Forbidden (F), Gone (G), or NoEscape (NE).
+
+   Please note that ability to exploit this issue is dependent on the stack
+   layout for a particular compiled version of mod_rewrite. If the compiler
+   used to compile Apache HTTP Server has added padding to the stack
+   immediately after the buffer being overwritten, it will not be possible to
+   exploit this issue, and Apache HTTP Server will continue operating
+   normally.
+
+   The Apache HTTP Server project recommends that all users who have built
+   Apache from source apply the patch or upgrade to the latest level and
+   rebuild. Providers of Apache-based web servers in pre-compiled form will
+   be able to determine if this vulnerability applies to their builds. That
+   determination has no bearing on any other builds of Apache HTTP Server,
+   and Apache HTTP Server users are urged to exercise caution and apply
+   patches or upgrade unless they have specific instructions from the
+   provider of their web server. Statements from vendors can be obtained from
+   the US-CERT vulnerability note for this issue at:
+
+           http://www.kb.cert.org/vuls/id/395412
+
+   The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for
+   the responsible reporting of this vulnerability.
+
+   Apache 1.3.37 is the current stable release of the Apache 1.3 family. We
+   strongly recommend that users of all earlier versions, including 1.3
+   family release, upgrade to to the current 2.2 version as soon as possible.
+
+   We recommend Apache 1.3.37 version for users who require a third party
+   module that is not yet available as an Apache 2.x module. Modules compiled
+   for Apache 2.x are not compatible with Apache 1.3, and modules compiled
+   for Apache 1.3 are not compatible with Apache 2.x.
 
-   The Apache Software Foundation and The Apache HTTP Server Project are
-   pleased to announce the release of version 1.3.36 of the Apache HTTP
-   Server ("Apache").  This Announcement notes the significant change
-   in 1.3.36 as compared to 1.3.35.
-
-   This version of Apache is principally a bug fix release. A partial
-   summary of the bug fixes is given at the end of this document.
-   A full listing of changes can be found in the CHANGES file.  Of
-   particular note is that 1.3.36 addresses and fixes 1 major
-   regression introduced in 1.3.35:
-
-   Include directive regression
-   ----------------------------
-       Use of wildcards in the "Include" directive now works
-       again. The new feature introduced in 1.3.35 (allow usage
-       of the "Include" configuration directive within
-       previously "Include"d files) has been removed in
-       the meantime.
-
-   Please see the CHANGES_1.3 file in this same directory for a full list
-   of changes.
-
-   Apache 1.3.36 is the current stable release of the Apache 1.3 family.
-   We strongly recommend that users of all earlier versions, including
-   this 1.3 family release, upgrade to to the current 2.2 version as soon
-   as possible.
-
-   We recommend Apache 1.3.36 version for users who require a third party
-   module that is not yet available as an Apache 2.x module.  Modules
-   compiled for Apache 2.x are not compatible with Apache 1.3, and modules
-   compiled for Apache 1.3 are not compatible with Apache 2.x.
-
-   Apache 1.3.36 is available for download from:
-   
-       http://httpd.apache.org/download.cgi
+   Apache 1.3.37 is available for download from
+
+           http://httpd.apache.org/download.cgi
 
    This service utilizes the network of mirrors listed at:
 
-       http://www.apache.org/mirrors/
+           http://www.apache.org/mirrors/
 
    Binary distributions may be available for your specific platform from
 
-       http://www.apache.org/dist/httpd/binaries/
+           http://www.apache.org/dist/httpd/binaries/
 
-   Binaries distributed by the Apache HTTP Server Project are provided
-   as a courtesy by individual project contributors.  The project makes
-   no commitment to release the Apache HTTP Server in binary form for
-   any particular platform, nor on any particular schedule.
-
-   IMPORTANT NOTE FOR APACHE USERS:   Apache 1.3 was designed for Unix
-   OS variants.  While the ports to non-Unix platforms (such as Win32,
-   Netware or OS2) will function for some applications, Apache 1.3 is
-   not designed for these platforms.  Apache 2 was designed from the
-   ground up for security, stability, or performance issues across all
-   modern operating systems.  Users of any non-Unix ports are strongly
-   cautioned to move to Apache 2.
-
-   The Apache project no longer distributes non-Unix platform binaries
-   from the main download pages for Apache 1.3.  If absolutely necessary,
-   a binary may be available at <http://archive.apache.org/dist/httpd/>.
+   Binaries distributed by the Apache HTTP Server Project are provided as a
+   courtesy by individual project contributors. The project makes no
+   commitment to release the Apache HTTP Server in binary form for any
+   particular platform, nor on any particular schedule.
+
+   IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS
+   variants. While the ports to non-Unix platforms (such as Win32, Netware or
+   OS2) will function for some applications, Apache 1.3 is not designed for
+   these platforms. Apache 2 was designed from the ground up for security,
+   stability, or performance issues across all modern operating systems.
+   Users of any non-Unix ports are strongly cautioned to move to Apache 2.
+
+   The Apache project no longer distributes non-Unix platform binaries from
+   the main download pages for Apache 1.3. If absolutely necessary, a binary
+   may be available at http://archive.apache.org/dist/httpd/.
 
-   Apache is the most popular web server in the known universe; about 2/3
-   of the servers on the Internet run Apache HTTP Server, or one of its
+   Apache is the most popular web server in the known universe; about 2/3 of
+   the servers on the Internet run Apache HTTP Server, or one of its
    variants.
 
+Apache 1.3.37 Major changes
 
-                     Apache 1.3.36 Major changes
-
-  Bugs fixed
+  Security vulnerabilities
 
-   The following noteworthy bug(s) were found in Apache 1.3.35 (or earlier)
-   and have been fixed in Apache 1.3.36:
+   The main security vulnerabilities addressed in 1.3.37 are:
 
-     * Reverted SVN rev #396294 due to unwanted regression.
-       The new feature introduced in 1.3.35 (Allow usage of the
-       "Include" configuration directive within previously "Include"d
-       files) has been removed in the meantime.
-       (http://svn.apache.org/viewcvs?rev=396294&view=rev)
+   SECURITY: CVE-2006-3747 (cve.mitre.org)
+           mod_rewrite: Fix an off-by-one security problem in the ldap scheme
+           handling. For some RewriteRules this could lead to a pointer being
+           written out of bounds. Reported by Mark Dowd of McAfee Avert Labs.
 

Modified: httpd/httpd/dist/Announcement2.0.html
URL: http://svn.apache.org/viewvc/httpd/httpd/dist/Announcement2.0.html?rev=426206&r1=426205&r2=426206&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.0.html (original)
+++ httpd/httpd/dist/Announcement2.0.html Thu Jul 27 12:30:59 2006
@@ -14,12 +14,12 @@
 >
 <img src="../../images/apache_sub.gif" alt="">
 
-<h1>Apache HTTP Server 2.0.58 Released</h1>
+<h1>Apache HTTP Server 2.0.59 Released</h1>
 
 <p>The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the legacy release of version 2.0.58 of the Apache HTTP
+   pleased to announce the legacy release of version 2.0.59 of the Apache HTTP
    Server ("Apache").  This Announcement notes the significant changes in
-   2.0.58 as compared to 2.0.55.  This Announcement2.0 document may also be
+   2.0.59 as compared to 2.0.58.  This Announcement2.0 document may also be
    available in multiple languages at:</p>
 
 <dl>
@@ -30,25 +30,55 @@
 <p>This version of Apache is principally a bug and security fix release.
    The following potential security flaws are addressed;</p>
 
+<p><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747">CVE-2006-3747:</a>
+An off-by-one flaw exists in the Rewrite module, mod_rewrite,
+as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
+</p>
+
+<p>Depending on the manner in which Apache HTTP Server was compiled, this software
+defect may result in a vulnerability which, in combination with certain types of
+Rewrite rules in the web server configuration files, could be triggered
+remotely.  For vulnerable builds, the nature of the vulnerability can be denial
+of service (crashing of web server processes) or potentially allow arbitrary
+code execution.  This issue has been rated as having important security impact
+by the Apache HTTP Server Security Team.</p>
+
+<p>This flaw does not affect a default installation of Apache HTTP Server.
+Users who do not use, or have not enabled, the Rewrite module mod_rewrite are
+not affected by this issue.  This issue only affects installations using a
+Rewrite rule with the following characteristics:</p>
+ 
+<ul><li>The RewriteRule allows the attacker to control the initial part of
+  the rewritten URL (for example if the substitution URL starts with $1)</li>
+<li>The RewriteRule flags do NOT include any of the following flags:
+  Forbidden (F), Gone (G), or NoEscape (NE).</li></ul>
+
+<p>Please note that ability to exploit this issue is dependent on the
+stack layout for a particular compiled version of mod_rewrite. If the
+compiler used to compile Apache HTTP Server has added padding to the
+stack immediately after the buffer being overwritten, it will not be
+possible to exploit this issue, and Apache HTTP Server will continue
+operating normally.</p>
+
+<p>The Apache HTTP Server project recommends that all users who have
+built Apache from source apply the patch or upgrade to the latest
+level and rebuild.  Providers of Apache-based web servers in
+pre-compiled form will be able to determine if this vulnerability
+applies to their builds.  That determination has no bearing on any
+other builds of Apache HTTP Server, and Apache HTTP Server users are
+urged to exercise caution and apply patches or upgrade unless they
+have specific instructions from the provider of their web server.
+Statements from vendors can be obtained from the US-CERT vulnerability
+note for this issue at:
 <dl>
-<dt>CVE-2005-3357 (cve.mitre.org)</dt>
+<dd>
+<a
+href="http://www.kb.cert.org/vuls/id/395412">http://www.kb.cert.org/vuls/id/395412</a>
+</dd></dl>
 
- <dd>mod_ssl: When configured with an SSL vhost with access control and a
-     custom error 400 error page, mod_ssl allows remote attackers to cause
-     a denial of service (application crash) via a non-SSL request to an
-     SSL port, which triggers a NULL pointer dereference.</dd>
-
-<dt>CVE-2005-3352 (cve.mitre.org)</dt>
-
- <dd>mod_imap: Cross-site scripting (XSS) vulnerability which allows remote
-     attackers to inject arbitrary web script or HTML via the Referer when
-     using image maps.</dd>
-
-</dl>
-
-<p>The Apache HTTP Project thanks all of the reporters of these
-   issues and vulnerabilities for the responsible reporting and
-   thorough analysis of these vulnerabilities.</p>
+<p>The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the
+responsible reporting of this vulnerability.</p>
 
 <p>This release is compatible with modules compiled for 2.0.42 and
    later versions.  We consider this release to be the best version
@@ -61,16 +91,15 @@
    all be updated to ensure binary compatibility and address many
    known platform bugs.</p>
 
-<p>Apache HTTP Server 2.0.58 is available for download from</p>
+<p>Apache HTTP Server 2.0.59 is available for download from</p>
 <dl>
   <dd><a href="http://httpd.apache.org/download.cgi"
         >http://httpd.apache.org/download.cgi</a></dd>
 </dl>
 
 <p>Please see the CHANGES_2.0 file, linked from the above page, for
-   a full list of changes.  A condensed list, CHANGES_2.0.58 provides
-   the complete list of changes since 2.0.55, including changes to
-   the APR suite of libraries.</p>
+   a full list of changes.  A condensed list, CHANGES_2.0.59 provides
+   the complete list of changes since 2.0.58.</p>
    
 <p>Apache 2.0 offers numerous enhancements, improvements, and performance
    boosts over the 1.3 codebase.  For an overview of new features introduced
@@ -96,7 +125,7 @@
 </dl>
 
 <p>We consider Apache 2.2 to be the best available version at the time of
-   this release.  We offer Apache 2.0.58 as the best legacy version of Apache
+   this release.  We offer Apache 2.0.59 as the best legacy version of Apache
    2.0 available. Users should first consider upgrading to the current release
    of Apache 2.2 instead.</p>
 

Modified: httpd/httpd/dist/Announcement2.0.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/dist/Announcement2.0.txt?rev=426206&r1=426205&r2=426206&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.0.txt (original)
+++ httpd/httpd/dist/Announcement2.0.txt Thu Jul 27 12:30:59 2006
@@ -1,74 +1,99 @@
-
-                   Apache HTTP Server 2.0.58 Released
+                       Apache HTTP Server 2.0.59 Released
 
    The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the legacy release of version 2.0.58 of the Apache HTTP
-   Server ("Apache").  This Announcement notes the significant changes in
-   2.0.58 as compared to 2.0.55.  This Announcement2.0 document may also be
+   pleased to announce the legacy release of version 2.0.59 of the Apache
+   HTTP Server ("Apache"). This Announcement notes the significant changes in
+   2.0.59 as compared to 2.0.58. This Announcement2.0 document may also be
    available in multiple languages at:
 
-        http://www.apache.org/dist/httpd/
-
-   This version of Apache is principally a bug and security fix release.
-   The following potential security flaws are addressed;
-
-   CVE-2005-3357 (cve.mitre.org)
-
-     mod_ssl: When configured with an SSL vhost with access control and a
-     custom error 400 error page, mod_ssl allows remote attackers to cause
-     a denial of service (application crash) via a non-SSL request to an
-     SSL port, which triggers a NULL pointer dereference.
-
-   CVE-2005-3352 (cve.mitre.org)
-
-     mod_imap: Cross-site scripting (XSS) vulnerability which allows remote
-     attackers to inject arbitrary web script or HTML via the Referer when
-     using image maps.
+           http://www.apache.org/dist/httpd/
 
-   The Apache HTTP Project thanks all of the reporters of these
-   issues and vulnerabilities for the responsible reporting and
-   thorough analysis of these vulnerabilities.
+   This version of Apache is principally a bug and security fix release. The
+   following potential security flaws are addressed;
 
-   This release is compatible with modules compiled for 2.0.42 and
-   later versions.  We consider this release to be the best version
-   of Apache 2.0 available and encourage users of all prior versions to
-   upgrade.
-
-   This release includes the Apache Portable Runtime library suite
-   release version 0.9.12, bundled with the tar and zip distributions.
-   These libraries; libapr, libaprutil, and on Win32, libapriconv must
-   all be updated to ensure binary compatibility and address many
-   known platform bugs.
-
-   Apache HTTP Server 2.0.58 is available for download from
-
-     http://httpd.apache.org/download.cgi
-
-   Please see the CHANGES_2.0 file, linked from the above page, for
-   a full list of changes.  A condensed list, CHANGES_2.0.58 provides
-   the complete list of changes since 2.0.55, including changes to 
-   the APR suite of libraries.
+   CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
+   mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
+   and 2.2 since 2.2.0.
+
+   Depending on the manner in which Apache HTTP Server was compiled, this
+   software defect may result in a vulnerability which, in combination with
+   certain types of Rewrite rules in the web server configuration files,
+   could be triggered remotely. For vulnerable builds, the nature of the
+   vulnerability can be denial of service (crashing of web server processes)
+   or potentially allow arbitrary code execution. This issue has been rated
+   as having important security impact by the Apache HTTP Server Security
+   Team.
+
+   This flaw does not affect a default installation of Apache HTTP Server.
+   Users who do not use, or have not enabled, the Rewrite module mod_rewrite
+   are not affected by this issue. This issue only affects installations
+   using a Rewrite rule with the following characteristics:
+
+     * The RewriteRule allows the attacker to control the initial part of the
+       rewritten URL (for example if the substitution URL starts with $1)
+     * The RewriteRule flags do NOT include any of the following flags:
+       Forbidden (F), Gone (G), or NoEscape (NE).
+
+   Please note that ability to exploit this issue is dependent on the stack
+   layout for a particular compiled version of mod_rewrite. If the compiler
+   used to compile Apache HTTP Server has added padding to the stack
+   immediately after the buffer being overwritten, it will not be possible to
+   exploit this issue, and Apache HTTP Server will continue operating
+   normally.
+
+   The Apache HTTP Server project recommends that all users who have built
+   Apache from source apply the patch or upgrade to the latest level and
+   rebuild. Providers of Apache-based web servers in pre-compiled form will
+   be able to determine if this vulnerability applies to their builds. That
+   determination has no bearing on any other builds of Apache HTTP Server,
+   and Apache HTTP Server users are urged to exercise caution and apply
+   patches or upgrade unless they have specific instructions from the
+   provider of their web server. Statements from vendors can be obtained from
+   the US-CERT vulnerability note for this issue at:
+
+           http://www.kb.cert.org/vuls/id/395412
+
+   The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for
+   the responsible reporting of this vulnerability.
+
+   This release is compatible with modules compiled for 2.0.42 and later
+   versions. We consider this release to be the best version of Apache
+   available and encourage users of all prior versions to upgrade.
+
+   This release includes the Apache Portable Runtime library suite release
+   version 0.9.12, bundled with the tar and zip distributions. These
+   libraries; libapr, libaprutil, and on Win32, libapriconv must all be
+   updated to ensure binary compatibility and address many known platform
+   bugs.
+
+   Apache HTTP Server 2.0.59 is available for download from
+
+           http://httpd.apache.org/download.cgi
+
+   Please see the CHANGES_2.0 file, linked from the above page, for a full
+   list of changes. A condensed list, CHANGES_2.0.59 provides the complete
+   list of changes since 2.0.58.
 
    Apache 2.0 offers numerous enhancements, improvements, and performance
-   boosts over the 1.3 codebase.  For an overview of new features introduced
+   boosts over the 1.3 codebase. For an overview of new features introduced
    after 1.3 please see
 
-     http://httpd.apache.org/docs/2.0/new_features_2_0.html
+           http://httpd.apache.org/docs/2.0/new_features_2_0.html
 
-   When upgrading or installing this version of Apache, please keep
-   in mind the following:  If you intend to use Apache with one of the 
-   threaded MPMs, you must ensure that the modules (and the libraries 
-   they depend on) that you will be using are thread-safe.  Please 
-   refer to the documentation of these modules and libraries to obtain 
-   this information.
+   When upgrading or installing this version of Apache, please keep in mind
+   the following: If you intend to use Apache with one of the threaded MPMs,
+   you must ensure that the modules (and the libraries they depend on) that
+   you will be using are thread-safe. Please refer to the documentation of
+   these modules and libraries to obtain this information.
 
    Apache 2.2 offers numerous enhancements, improvements, and performance
    boosts over the 2.0 codebase. For an overview of new features introduced
    after 2.0 please see
 
-     http://httpd.apache.org/docs/2.2/new_features_2_2.html
+           http://httpd.apache.org/docs/2.2/new_features_2_2.html
 
    We consider Apache 2.2 to be the best available version at the time of
-   this release.  We offer Apache 2.0.58 as the best legacy version of Apache
-   2.0 available. Users should first consider upgrading to the current release
-   of Apache 2.2 instead.
+   this release. We offer Apache 2.0.59 as the best legacy version of Apache
+   2.0 available. Users should first consider upgrading to the current
+   release of Apache 2.2 instead.
+

Modified: httpd/httpd/dist/Announcement2.2.html
URL: http://svn.apache.org/viewvc/httpd/httpd/dist/Announcement2.2.html?rev=426206&r1=426205&r2=426206&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.2.html (original)
+++ httpd/httpd/dist/Announcement2.2.html Thu Jul 27 12:30:59 2006
@@ -15,20 +15,73 @@
 <img src="../../images/apache_sub.gif" alt="">
 
 
-<h1>Apache HTTP Server 2.2.2 Released</h1>
+<h1>Apache HTTP Server 2.2.3 Released</h1>
 
 <p>
 The Apache Software Foundation and The Apache HTTP Server Project are
-pleased to announce the release of version 2.2.2 of the Apache HTTP Server
+pleased to announce the release of version 2.2.3 of the Apache HTTP Server
 ("Apache").
 </p>
 
+<p>This version of Apache is principally a bug and security fix release.
+   The following potential security flaws are addressed;</p>
+
+<p><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747">CVE-2006-3747:</a>
+An off-by-one flaw exists in the Rewrite module, mod_rewrite,
+as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
+</p>
+
+<p>Depending on the manner in which Apache HTTP Server was compiled, this software
+defect may result in a vulnerability which, in combination with certain types of
+Rewrite rules in the web server configuration files, could be triggered
+remotely.  For vulnerable builds, the nature of the vulnerability can be denial
+of service (crashing of web server processes) or potentially allow arbitrary
+code execution.  This issue has been rated as having important security impact
+by the Apache HTTP Server Security Team.</p>
+
+<p>This flaw does not affect a default installation of Apache HTTP Server.
+Users who do not use, or have not enabled, the Rewrite module mod_rewrite are
+not affected by this issue.  This issue only affects installations using a
+Rewrite rule with the following characteristics:</p>
+ 
+<ul><li>The RewriteRule allows the attacker to control the initial part of
+  the rewritten URL (for example if the substitution URL starts with $1)</li>
+<li>The RewriteRule flags do NOT include any of the following flags:
+  Forbidden (F), Gone (G), or NoEscape (NE).</li></ul>
+
+<p>Please note that ability to exploit this issue is dependent on the
+stack layout for a particular compiled version of mod_rewrite. If the
+compiler used to compile Apache HTTP Server has added padding to the
+stack immediately after the buffer being overwritten, it will not be
+possible to exploit this issue, and Apache HTTP Server will continue
+operating normally.</p>
+
+<p>The Apache HTTP Server project recommends that all users who have
+built Apache from source apply the patch or upgrade to the latest
+level and rebuild.  Providers of Apache-based web servers in
+pre-compiled form will be able to determine if this vulnerability
+applies to their builds.  That determination has no bearing on any
+other builds of Apache HTTP Server, and Apache HTTP Server users are
+urged to exercise caution and apply patches or upgrade unless they
+have specific instructions from the provider of their web server.
+Statements from vendors can be obtained from the US-CERT vulnerability
+note for this issue at:
+<dl>
+<dd>
+<a
+href="http://www.kb.cert.org/vuls/id/395412">http://www.kb.cert.org/vuls/id/395412</a>
+</dd></dl>
+
+<p>The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the
+responsible reporting of this vulnerability.</p>
+
 <p>
 We consider this release to be the best version of Apache available, and
 encourage users of all prior versions to upgrade.
 </p>
 
-<p>Apache HTTP Server 2.2.2 is available for download from:</p>
+<p>Apache HTTP Server 2.2.3 is available for download from:</p>
 <dl>
   <dd><a href="http://httpd.apache.org/download.cgi">http://httpd.apache.org/download.cgi</a></dd>
 </dl>
@@ -50,8 +103,8 @@
 </p>
 
 <p>
-Apache HTTP Server 1.3.35 and 2.0.58 legacy releases are also available
-with minor bugfixes.  See the appropriate CHANGES from the url above.
+Apache HTTP Server 1.3.38 and 2.0.59 legacy releases are also available
+with this security fix.  See the appropriate CHANGES from the url above.
 The Apache HTTP Project developers strongly encourages all users to
 migrate to Apache 2.2, as only limited maintenance is performed on these
 legacy versions.
@@ -66,10 +119,7 @@
 </p>
 
 <p>
-This release has been through extensive testing, including live at some
-of the world's busiest sites, and is now considered stable.  This means
-that modules and applications developed for Apache 2.2.2 will be both
-source- and binary-compatible with future 2.2.x releases.  This release
+This release
 builds on and extends the Apache 2.0 API. Modules written for Apache 2.0
 will need to be recompiled in order to run with Apache 2.2, but no
 substantial reworking should be necessary.

Modified: httpd/httpd/dist/Announcement2.2.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/dist/Announcement2.2.txt?rev=426206&r1=426205&r2=426206&view=diff
==============================================================================
--- httpd/httpd/dist/Announcement2.2.txt (original)
+++ httpd/httpd/dist/Announcement2.2.txt Thu Jul 27 12:30:59 2006
@@ -1,47 +1,92 @@
-                Apache HTTP Server 2.2.2 Released
+                       Apache HTTP Server 2.2.3 Released
 
-The Apache Software Foundation and The Apache HTTP Server Project are
-pleased to announce the release of version 2.2.2 of the Apache HTTP Server
-("Apache").
+   The Apache Software Foundation and The Apache HTTP Server Project are
+   pleased to announce the release of version 2.2.3 of the Apache HTTP Server
+   ("Apache").
+
+   This version of Apache is principally a bug and security fix release. The
+   following potential security flaws are addressed;
+
+   CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
+   mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
+   and 2.2 since 2.2.0.
+
+   Depending on the manner in which Apache HTTP Server was compiled, this
+   software defect may result in a vulnerability which, in combination with
+   certain types of Rewrite rules in the web server configuration files,
+   could be triggered remotely. For vulnerable builds, the nature of the
+   vulnerability can be denial of service (crashing of web server processes)
+   or potentially allow arbitrary code execution. This issue has been rated
+   as having important security impact by the Apache HTTP Server Security
+   Team.
+
+   This flaw does not affect a default installation of Apache HTTP Server.
+   Users who do not use, or have not enabled, the Rewrite module mod_rewrite
+   are not affected by this issue. This issue only affects installations
+   using a Rewrite rule with the following characteristics:
+
+     * The RewriteRule allows the attacker to control the initial part of the
+       rewritten URL (for example if the substitution URL starts with $1)
+     * The RewriteRule flags do NOT include any of the following flags:
+       Forbidden (F), Gone (G), or NoEscape (NE).
+
+   Please note that ability to exploit this issue is dependent on the stack
+   layout for a particular compiled version of mod_rewrite. If the compiler
+   used to compile Apache HTTP Server has added padding to the stack
+   immediately after the buffer being overwritten, it will not be possible to
+   exploit this issue, and Apache HTTP Server will continue operating
+   normally.
+
+   The Apache HTTP Server project recommends that all users who have built
+   Apache from source apply the patch or upgrade to the latest level and
+   rebuild. Providers of Apache-based web servers in pre-compiled form will
+   be able to determine if this vulnerability applies to their builds. That
+   determination has no bearing on any other builds of Apache HTTP Server,
+   and Apache HTTP Server users are urged to exercise caution and apply
+   patches or upgrade unless they have specific instructions from the
+   provider of their web server. Statements from vendors can be obtained from
+   the US-CERT vulnerability note for this issue at:
+
+           http://www.kb.cert.org/vuls/id/395412
+
+   The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for
+   the responsible reporting of this vulnerability.
+
+   We consider this release to be the best version of Apache available, and
+   encourage users of all prior versions to upgrade.
+
+   Apache HTTP Server 2.2.3 is available for download from:
+
+           http://httpd.apache.org/download.cgi
+
+   Apache 2.2 offers numerous enhancements, improvements, and performance
+   boosts over the 2.0 codebase. For an overview of new features introduced
+   since 2.0 please see:
+
+           http://httpd.apache.org/docs/2.2/new_features_2_2.html
+
+   Please see the CHANGES_2.2 file, linked from the download page, for a full
+   list of changes.
+
+   Apache HTTP Server 1.3.38 and 2.0.59 legacy releases are also available
+   with this security fix. See the appropriate CHANGES from the url above.
+   The Apache HTTP Project developers strongly encourages all users to
+   migrate to Apache 2.2, as only limited maintenance is performed on these
+   legacy versions.
+
+   This release includes the Apache Portable Runtime (APR) version 1.2.7
+   bundled with the tar and zip distributions. The APR libraries libapr,
+   libaprutil, and (on Win32) libapriconv must all be updated to ensure
+   binary compatibility and address many known platform bugs.
+
+   This release builds on and extends the Apache 2.0 API. Modules written for
+   Apache 2.0 will need to be recompiled in order to run with Apache 2.2, but
+   no substantial reworking should be necessary.
+
+           http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
+
+   When upgrading or installing this version of Apache, please bear in mind
+   that if you intend to use Apache with one of the threaded MPMs, you must
+   ensure that any modules you will be using (and the libraries they depend
+   on) are thread-safe.
 
-We consider this release to be the best version of Apache available, and
-encourage users of all prior versions to upgrade.
-
-Apache HTTP Server 2.2.2 is available for download from:
-
-  http://httpd.apache.org/download.cgi
-
-Apache 2.2 offers numerous enhancements, improvements, and performance
-boosts over the 2.0 codebase.  For an overview of new features introduced
-since 2.0 please see:
-
-  http://httpd.apache.org/docs/2.2/new_features_2_2.html
-
-Please see the CHANGES_2.2 file, linked from the download page, for a
-full list of changes.
-
-Apache HTTP Server 1.3.35 and 2.0.58 legacy releases are also available
-with minor bugfixes.  See the appropriate CHANGES from the url above.
-The Apache HTTP Project developers strongly encourages all users to
-migrate to Apache 2.2, as only limited maintenance is performed on these
-legacy versions.
-
-This release includes the Apache Portable Runtime (APR) version 1.2.7
-bundled with the tar and zip distributions.  The APR libraries libapr,
-libaprutil, and (on Win32) libapriconv must all be updated to ensure
-binary compatibility and address many known platform bugs.
-
-This release has been through extensive testing, including live at some
-of the world's busiest sites, and is now considered stable.  This means
-that modules and applications developed for Apache 2.2.2 will be both
-source- and binary-compatible with future 2.2.x releases.  This release
-builds on and extends the Apache 2.0 API. Modules written for Apache 2.0
-will need to be recompiled in order to run with Apache 2.2, but no
-substantial reworking should be necessary.
-
-  http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
-
-When upgrading or installing this version of Apache, please bear in mind
-that if you intend to use Apache with one of the threaded MPMs, you must
-ensure that any modules you will be using (and the libraries they depend
-on) are thread-safe.



Mime
View raw message