httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r494661 - in /httpd/site/trunk/dist: Announcement2.2.html Announcement2.2.txt
Date Wed, 10 Jan 2007 00:13:50 GMT
Author: wrowe
Date: Tue Jan  9 16:13:49 2007
New Revision: 494661

URL: http://svn.apache.org/viewvc?view=rev&rev=494661
Log:
Bump 2.2.4/apr 1.2.8, and inject a new reference to the security
vulnerability fix summary page.

Modified:
    httpd/site/trunk/dist/Announcement2.2.html
    httpd/site/trunk/dist/Announcement2.2.txt

Modified: httpd/site/trunk/dist/Announcement2.2.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.2.html?view=diff&rev=494661&r1=494660&r2=494661
==============================================================================
--- httpd/site/trunk/dist/Announcement2.2.html (original)
+++ httpd/site/trunk/dist/Announcement2.2.html Tue Jan  9 16:13:49 2007
@@ -14,75 +14,25 @@
 >
 <img src="../../images/apache_sub.gif" alt="">
 
-
-<h1>Apache HTTP Server 2.2.3 Released</h1>
+<h1>Apache HTTP Server 2.2.4 Released</h1>
 
 <p>
-The Apache Software Foundation and The Apache HTTP Server Project are
-pleased to announce the release of version 2.2.3 of the Apache HTTP Server
-("Apache").
-</p>
-
-<p>This version of Apache is principally a bug and security fix release.
-   The following potential security flaws are addressed;</p>
-
-<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747"
-     >CVE-2006-3747:</a>
-An off-by-one flaw exists in the Rewrite module, mod_rewrite,
-as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
-</p>
-
-<p>Depending on the manner in which Apache HTTP Server was compiled, this 
-software defect may result in a vulnerability which, in combination with 
-certain types of Rewrite rules in the web server configuration files, could 
-be triggered remotely.  For vulnerable builds, the nature of the vulnerability 
-can be denial of service (crashing of web server processes) or potentially 
-allow arbitrary code execution.  This issue has been rated as having important 
-security impact by the Apache HTTP Server Security Team.</p>
-
-<p>This flaw does not affect a default installation of Apache HTTP Server.
-Users who do not use, or have not enabled, the Rewrite module mod_rewrite are
-not affected by this issue.  This issue only affects installations using a
-Rewrite rule with the following characteristics:</p>
- 
-<ul><li>The RewriteRule allows the attacker to control the initial part of
-  the rewritten URL (for example if the substitution URL starts with $1)</li>
-<li>The RewriteRule flags do NOT include any of the following flags:
-  Forbidden (F), Gone (G), or NoEscape (NE).</li></ul>
-
-<p>Please note that ability to exploit this issue is dependent on the
-stack layout for a particular compiled version of mod_rewrite. If the
-compiler used to compile Apache HTTP Server has added padding to the
-stack immediately after the buffer being overwritten, it will not be
-possible to exploit this issue, and Apache HTTP Server will continue
-operating normally.</p>
-
-<p>The Apache HTTP Server project recommends that all users who have
-built Apache from source apply the patch or upgrade to the latest
-level and rebuild.  Providers of Apache-based web servers in
-pre-compiled form will be able to determine if this vulnerability
-applies to their builds.  That determination has no bearing on any
-other builds of Apache HTTP Server, and Apache HTTP Server users are
-urged to exercise caution and apply patches or upgrade unless they
-have specific instructions from the provider of their web server.
-Statements from vendors can be obtained from the US-CERT vulnerability
-note for this issue at:
-<dl>
-<dd>
-<a
-href="http://www.kb.cert.org/vuls/id/395412"
-     >http://www.kb.cert.org/vuls/id/395412</a>
-</dd></dl>
-
-<p>The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the
-responsible reporting of this vulnerability.</p>
+The Apache Software Foundation and the Apache HTTP Server Project are
+pleased to announce the release of version 2.2.4 of the Apache HTTP Server
+("Apache").  This version of Apache is principally a bugfix release.
+</p>
 
 <p>
 We consider this release to be the best version of Apache available, and
-encourage users of all prior versions to upgrade.
+encourage users of all prior versions to upgrade.  A summary of security 
+vulnerabilities which have been addressed is documented at:
 </p>
+<dl>
+  <dd><a href="http://httpd.apache.org/security/vulnerabilities_22.html"
+              >http://httpd.apache.org/security/vulnerabilities_22.html</a>
+</dd></dl>
 
-<p>Apache HTTP Server 2.2.3 is available for download from:</p>
+<p>Apache HTTP Server 2.2.4 is available for download from:</p>
 <dl>
   <dd><a href="http://httpd.apache.org/download.cgi"
               >http://httpd.apache.org/download.cgi</a></dd>
@@ -105,24 +55,27 @@
 </p>
 
 <p>
-Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available
-with this security fix.  See the appropriate CHANGES from the url above.
-The Apache HTTP Project developers strongly encourage all users to
-migrate to Apache 2.2, as only limited maintenance is performed on these
-legacy versions.
-</p>
-
-<p>This release includes the <a href="http://apr.apache.org/"
->Apache Portable Runtime</a> (APR) version 1.2.7
-bundled with the tar and zip distributions.  The APR libraries libapr,
-libaprutil, and (on Win32) libapriconv must all be updated to ensure
-binary compatibility and address many known platform bugs.
-</p>
-
-<p>This release builds on and extends the Apache 2.0 API. Modules written 
-for Apache 2.0 will need to be recompiled in order to run with Apache 2.2, 
-but no substantial reworking should be necessary.
+Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also currently
+available.  See the corresponding CHANGES files linked from the download page.
+The Apache HTTP Project developers strongly encourage all users to migrate 
+to  Apache 2.2, as only limited maintenance is performed for these legacy 
+releases.
 </p>
+
+<p>
+This release includes the <a href="http://apr.apache.org/"
+>Apache Portable Runtime</a> (APR) version 1.2.8
+bundled with the tar and zip distributions.  The APR libraries libapr and
+libaprutil (and on Win32, libapriconv) must all be updated to ensure
+binary compatibility, and address many known platform bugs.
+</p>
+
+<p>
+This release builds on and extends the Apache 2.0 API. Modules written for 
+Apache version 2.0 will need to be recompiled in order to run with Apache 2.2,
+and require minimal or no source code changes.
+</p>
+
 <dl>
   <dd><a 
 href="http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING"
@@ -131,9 +84,9 @@
 
 <p>
 When upgrading or installing this version of Apache, please bear in mind
-that if you intend to use Apache with one of the threaded MPMs, you must
-ensure that any modules you will be using (and the libraries they depend
-on) are thread-safe.
+that if you intend to use Apache with one of the threaded MPMs (other than
+thank the Prefork MPM), you must ensure that any modules you will be using 
+(and the libraries they depend on) are thread-safe.
 </p>
 
 </body>

Modified: httpd/site/trunk/dist/Announcement2.2.txt
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.2.txt?view=diff&rev=494661&r1=494660&r2=494661
==============================================================================
--- httpd/site/trunk/dist/Announcement2.2.txt (original)
+++ httpd/site/trunk/dist/Announcement2.2.txt Tue Jan  9 16:13:49 2007
@@ -1,66 +1,21 @@
-                       Apache HTTP Server 2.2.3 Released
+                       Apache HTTP Server 2.2.4 Released
 
-   The Apache Software Foundation and The Apache HTTP Server Project are
-   pleased to announce the release of version 2.2.3 of the Apache HTTP Server
-   ("Apache").
-
-   This version of Apache is principally a bug and security fix release. The
-   following potential security flaws are addressed;
-
-   CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
-   mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
-   and 2.2 since 2.2.0.
-
-   Depending on the manner in which Apache HTTP Server was compiled, this
-   software defect may result in a vulnerability which, in combination with
-   certain types of Rewrite rules in the web server configuration files,
-   could be triggered remotely. For vulnerable builds, the nature of the
-   vulnerability can be denial of service (crashing of web server processes)
-   or potentially allow arbitrary code execution. This issue has been rated
-   as having important security impact by the Apache HTTP Server Security
-   Team.
-
-   This flaw does not affect a default installation of Apache HTTP Server.
-   Users who do not use, or have not enabled, the Rewrite module mod_rewrite
-   are not affected by this issue. This issue only affects installations
-   using a Rewrite rule with the following characteristics:
-
-     * The RewriteRule allows the attacker to control the initial part of the
-       rewritten URL (for example if the substitution URL starts with $1)
-     * The RewriteRule flags do NOT include any of the following flags:
-       Forbidden (F), Gone (G), or NoEscape (NE).
-
-   Please note that ability to exploit this issue is dependent on the stack
-   layout for a particular compiled version of mod_rewrite. If the compiler
-   used to compile Apache HTTP Server has added padding to the stack
-   immediately after the buffer being overwritten, it will not be possible to
-   exploit this issue, and Apache HTTP Server will continue operating
-   normally.
-
-   The Apache HTTP Server project recommends that all users who have built
-   Apache from source apply the patch or upgrade to the latest level and
-   rebuild. Providers of Apache-based web servers in pre-compiled form will
-   be able to determine if this vulnerability applies to their builds. That
-   determination has no bearing on any other builds of Apache HTTP Server,
-   and Apache HTTP Server users are urged to exercise caution and apply
-   patches or upgrade unless they have specific instructions from the
-   provider of their web server. Statements from vendors can be obtained from
-   the US-CERT vulnerability note for this issue at:
-
-     http://www.kb.cert.org/vuls/id/395412
-
-   The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for
-   the responsible reporting of this vulnerability.
+   The Apache Software Foundation and the Apache HTTP Server Project are
+   pleased to announce the release of version 2.2.4 of the Apache HTTP Server
+   ("Apache").  This version of Apache is principally a bugfix release.
 
    We consider this release to be the best version of Apache available, and
-   encourage users of all prior versions to upgrade.
+   encourage users of all prior versions to upgrade.  A summary of security 
+   vulnerabilities which have been addressed is documented at:
+
+     http://httpd.apache.org/security/vulnerabilities_22.html
 
-   Apache HTTP Server 2.2.3 is available for download from:
+   Apache HTTP Server 2.2.4 is available for download from:
 
      http://httpd.apache.org/download.cgi
 
    Apache 2.2 offers numerous enhancements, improvements, and performance
-   boosts over the 2.0 codebase. For an overview of new features introduced
+   boosts over the 2.0 codebase.  For an overview of new features introduced
    since 2.0 please see:
 
      http://httpd.apache.org/docs/2.2/new_features_2_2.html
@@ -68,25 +23,26 @@
    Please see the CHANGES_2.2 file, linked from the download page, for a full
    list of changes.
 
-   Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available
-   with this security fix. See the appropriate CHANGES from the url above.
-   The Apache HTTP Project developers strongly encourage all users to
-   migrate to Apache 2.2, as only limited maintenance is performed on these
-   legacy versions.
-
-   This release includes the Apache Portable Runtime (APR) version 1.2.7
-   bundled with the tar and zip distributions. The APR libraries libapr,
-   libaprutil, and (on Win32) libapriconv must all be updated to ensure
+   Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also currently 
+   available.  See the appropriate CHANGES from the url above.  See the 
+   corresponding CHANGES files linked from the download page.  The Apache 
+   HTTP Project developers strongly encourage all users to migrate to 
+   Apache 2.2, as only limited maintenance is performed on these legacy 
+   versions.
+
+   This release includes the Apache Portable Runtime (APR) version 1.2.8
+   bundled with the tar and zip distributions.  The APR libraries libapr
+   and libaprutil (and on Win32, libapriconv) must all be updated to ensure
    binary compatibility and address many known platform bugs.
 
-   This release builds on and extends the Apache 2.0 API. Modules written for
-   Apache 2.0 will need to be recompiled in order to run with Apache 2.2, but
-   no substantial reworking should be necessary.
+   This release builds on and extends the Apache 2.0 API.  Modules written
+   for Apache 2.0 will need to be recompiled in order to run with Apache 2.2,
+   and require minimal or no source code changes.
 
      http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
 
    When upgrading or installing this version of Apache, please bear in mind
-   that if you intend to use Apache with one of the threaded MPMs, you must
-   ensure that any modules you will be using (and the libraries they depend
-   on) are thread-safe.
+   that if you intend to use Apache with one of the threaded MPMs (other 
+   than the Prefork MPM), you must ensure that any modules you will be using 
+   (and the libraries they depend on) are thread-safe.
 



Mime
View raw message