httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r612139 - in /httpd/site/trunk/dist: Announcement1.3.html Announcement1.3.txt Announcement2.0.html Announcement2.0.txt Announcement2.2.html Announcement2.2.txt
Date Tue, 15 Jan 2008 15:43:08 GMT
Author: jim
Date: Tue Jan 15 07:43:06 2008
New Revision: 612139

URL: http://svn.apache.org/viewvc?rev=612139&view=rev
Log:
Update announcements for 1.3.41, 2.0.63 and 2.2.8

Modified:
    httpd/site/trunk/dist/Announcement1.3.html
    httpd/site/trunk/dist/Announcement1.3.txt
    httpd/site/trunk/dist/Announcement2.0.html
    httpd/site/trunk/dist/Announcement2.0.txt
    httpd/site/trunk/dist/Announcement2.2.html
    httpd/site/trunk/dist/Announcement2.2.txt

Modified: httpd/site/trunk/dist/Announcement1.3.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement1.3.html?rev=612139&r1=612138&r2=612139&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement1.3.html (original)
+++ httpd/site/trunk/dist/Announcement1.3.html Tue Jan 15 07:43:06 2008
@@ -15,28 +15,34 @@
 <IMG SRC="../../images/apache_sub.gif" ALT="">
 
 
-<h1>Apache HTTP Server 1.3.39 Released</h1>
+<h1>Apache HTTP Server 1.3.41 Released</h1>
                                        
 <p>The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the release of version 1.3.39 of the Apache HTTP
+   pleased to announce the release of version 1.3.41 of the Apache HTTP
    Server ("Apache").  This Announcement notes the significant change
-   in 1.3.39 as compared to 1.3.37 (1.3.38 was not released).</p>
+   in 1.3.41 as compared to 1.3.39 (1.3.40 was not released).</p>
 
 <p>This version of Apache is a security fix release only.</p>
 
 <ul>
 <li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752">CVE-2006-5752:</a>
-mod_status: Fix a possible XSS attack against a site with a public
-server-status page and ExtendedStatus enabled, for browsers which
-perform charset "detection".
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388">CVE-2007-6388:</a>
+mod_status: Ensure refresh parameter is numeric to prevent
+a possible XSS attack caused by redirecting to other URLs.
+Reported by SecurityReason.
 </li>
 
 <li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304">CVE-2007-3304:</a>
-Ensure that the parent process cannot be forced to kill non-child
-processes by checking scoreboard PID data with parent process
-privately stored PID data.
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000">CVE-2007-5000:</a>
+mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.
+</li>
+
+<li><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847">CVE-2007-3847:</a>
+mod_proxy: Prevent reading past the end of a buffer when parsing
+date-related headers.  PR 41144.
+With Apache 1.3, the denial of service vulnerability applies only 
+to the Windows and NetWare platforms.
 </li>
 
 </ul>
@@ -44,17 +50,17 @@
 <p>Please note that ability to exploit this issue is dependent on running
 untrusted 3rd party modules or untrusted server-side code.</p>
 
-<p>Apache 1.3.39 is the current stable release of the Apache 1.3 family.
+<p>Apache 1.3.41 is the current stable release of the Apache 1.3 family.
    We strongly recommend that users of all earlier versions, including 
    1.3 family release, upgrade to to the current 2.2 version as soon
    as possible.</p>
 
-<p>We recommend Apache 1.3.39 version for users who require a third party
+<p>We recommend Apache 1.3.41 version for users who require a third party
    module that is not yet available as an Apache 2.x module.  Modules
    compiled for Apache 2.x are not compatible with Apache 1.3, and modules
    compiled for Apache 1.3 are not compatible with Apache 2.x.</p>
 
-<p>Apache 1.3.39 is available for download from</p>
+<p>Apache 1.3.41 is available for download from</p>
 <dl>
     <dd><a href="http://httpd.apache.org/download.cgi"
           >http://httpd.apache.org/download.cgi</a></dd>
@@ -62,8 +68,8 @@
 </dl>
 
 <p>Please see the CHANGES_1.3 file, linked from the above page, for
-   a full list of changes.  A condensed list, CHANGES_1.3.39 provides
-   the complete list of changes since 1.3.37.</p>
+   a full list of changes.  A condensed list, CHANGES_1.3.41 provides
+   the complete list of changes since 1.3.39.</p>
 
 <p>This service utilizes the network of mirrors listed at:</p>
 <dl>
@@ -94,26 +100,32 @@
    a binary may be available at <a href="http://archive.apache.org/dist/httpd/"
    >http://archive.apache.org/dist/httpd/</a>.</p>
 
-<p>Apache is the most popular web server in the known universe; about 2/3
+<p>Apache is the most popular web server in the known universe; over 2/3
    of the servers on the Internet run Apache HTTP Server, or one of its
    variants.</p>
 
-<h2>Apache 1.3.39 Major changes</h2>
+<h2>Apache 1.3.41 Major changes</h2>
 
 <h3>Security vulnerabilities</h3>
 
 <p>
-   The main security vulnerabilities addressed in 1.3.39 are:
+   The main security vulnerabilities addressed in 1.3.41 are:
 </p>
 <dl>
-<dt>CVE-2006-5752 (cve.mitre.org)</dt>
-<dd>mod_status: Fix a possible XSS attack against a site with a public
-server-status page and ExtendedStatus enabled, for browsers which
-perform charset "detection".  Reported by Stefan Esser.</dd>
-<dt>CVE-2007-3304 (cve.mitre.org)</dt>
-<dd>Ensure that the parent process cannot be forced to kill non-child
-processes by checking scoreboard PID data with parent process
-privately stored PID data.</dd>
+<dt>CVE-2007-6388 (cve.mitre.org)</dt>
+<dd>mod_status: Ensure refresh parameter is numeric to prevent
+     a possible XSS attack caused by redirecting to other URLs.
+     Reported by SecurityReason.</dd>
+
+<dt>CVE-2007-5000 (cve.mitre.org)</dt>
+<dd>mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.</dd>
+
+<dt>CVE-2007-3847 (cve.mitre.org)</dt>
+<dd>mod_proxy: Prevent reading past the end of a buffer when parsing
+     date-related headers.  PR 41144.
+     With Apache 1.3, the denial of service vulnerability applies only 
+     to the Windows and NetWare platforms.</dd>
+
 </dl>
 <!--
 <h3>New features</h3>
@@ -132,8 +144,8 @@
 <p>
 <h3>Bugs fixed</h3>
 <p>
-   The following bugs were found in Apache 1.3.35 (or earlier) and have been fixed in
-   Apache 1.3.36:
+   The following bugs were found in Apache 1.3.39 (or earlier) and have been fixed in
+   Apache 1.3.41:
 </p>
 <ul>
 </ul>

Modified: httpd/site/trunk/dist/Announcement1.3.txt
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement1.3.txt?rev=612139&r1=612138&r2=612139&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement1.3.txt (original)
+++ httpd/site/trunk/dist/Announcement1.3.txt Tue Jan 15 07:43:06 2008
@@ -1,36 +1,40 @@
-                       Apache HTTP Server 1.3.39 Released
+                       Apache HTTP Server 1.3.41 Released
 
    The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the release of version 1.3.39 of the Apache HTTP
+   pleased to announce the release of version 1.3.41 of the Apache HTTP
    Server ("Apache"). This Announcement notes the significant change in
-   1.3.39 as compared to 1.3.37 (1.3.38 was not released).
+   1.3.41 as compared to 1.3.39 (1.3.40 was not released).
 
-   This version of Apache is a security fix release only:
+   This version of Apache is is principally a bug and security fix release.
+   The following potential security flaws are addressed:
 
-     * CVE-2006-5752 (cve.mitre.org)
-       A possible XSS attack exist against a site with a public
-       server-status page and ExtendedStatus enabled, for browsers which
-       perform charset "detection".  Reported by Stefan Esser.
-
-     * CVE-2007-3304 (cve.mitre.org)
-       The Apache parent process can be tricked into sending signals
-       to non-Apache child processes. Please note that ability
-       to exploit this issue is dependent on running untrusted 3rd party
-       modules or untrusted server-side code.
+     * CVE-2007-6388 (cve.mitre.org)
+       mod_status: Ensure refresh parameter is numeric to prevent
+       a possible XSS attack caused by redirecting to other URLs.
+       Reported by SecurityReason.
+
+     * CVE-2007-5000 (cve.mitre.org)
+       mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.
+
+     * CVE-2007-3847 (cve.mitre.org)
+       mod_proxy: Prevent reading past the end of a buffer when parsing
+       date-related headers.  PR 41144.
+       With Apache 1.3, the denial of service vulnerability applies only 
+       to the Windows and NetWare platforms.
 
-   Please see the CHANGES_1.3.39 file in this directory for a full list
+   Please see the CHANGES_1.3.41 file in this directory for a full list
    of changes for this version.
 
-   Apache 1.3.39 is the current stable release of the Apache 1.3 family. We
+   Apache 1.3.41 is the current stable release of the Apache 1.3 family. We
    strongly recommend that users of all earlier versions, including 1.3
    family release, upgrade to to the current 2.2 version as soon as possible.
 
-   We recommend Apache 1.3.39 version for users who require a third party
+   We recommend Apache 1.3.41 version for users who require a third party
    module that is not yet available as an Apache 2.x module. Modules compiled
    for Apache 2.x are not compatible with Apache 1.3, and modules compiled
    for Apache 1.3 are not compatible with Apache 2.x.
 
-   Apache 1.3.39 is available for download from
+   Apache 1.3.41 is available for download from
 
            http://httpd.apache.org/download.cgi
 
@@ -62,19 +66,30 @@
    the servers on the Internet run Apache HTTP Server, or one of its
    variants.
 
-Apache 1.3.39 Major changes
+Apache 1.3.41 Major changes
 
   Security vulnerabilities
 
-   The main security vulnerabilities addressed in 1.3.39 are:
+   The main security vulnerabilities addressed in 1.3.41 are:
 
-
-    CVE-2006-5752 (cve.mitre.org)
-     mod_status: Fix a possible XSS attack against a site with a public
-     server-status page and ExtendedStatus enabled, for browsers which
-     perform charset "detection".  Reported by Stefan Esser.
-
-    CVE-2007-3304 (cve.mitre.org)
-     Ensure that the parent process cannot be forced to kill non-child
-     processes by checking scoreboard PID data with parent process
-     privately stored PID data.
+    CVE-2007-6388 (cve.mitre.org)
+     mod_status: Ensure refresh parameter is numeric to prevent
+     a possible XSS attack caused by redirecting to other URLs.
+     Reported by SecurityReason.
+
+    CVE-2007-5000 (cve.mitre.org)
+     mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.
+
+    CVE-2007-3847 (cve.mitre.org)
+     mod_proxy: Prevent reading past the end of a buffer when parsing
+     date-related headers.  PR 41144.
+     With Apache 1.3, the denial of service vulnerability applies only 
+     to the Windows and NetWare platforms.
+
+  Bugfixes addressed in 1.3.41 are:
+
+    More efficient implementation of the CVE-2007-3304 PID table
+    patch. This fixes issues with excessive memory usage by the
+    parent process if long-running and with a high number of child
+    process forks during that timeframe. Also fixes bogus "Bad pid"
+    errors.

Modified: httpd/site/trunk/dist/Announcement2.0.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.0.html?rev=612139&r1=612138&r2=612139&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement2.0.html (original)
+++ httpd/site/trunk/dist/Announcement2.0.html Tue Jan 15 07:43:06 2008
@@ -14,12 +14,12 @@
 >
 <img src="../../images/apache_sub.gif" alt="">
 
-<h1>Apache HTTP Server 2.0.61 Released</h1>
+<h1>Apache HTTP Server 2.0.63 Released</h1>
 
 <p>The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the legacy release of version 2.0.61 of the Apache HTTP
+   pleased to announce the legacy release of version 2.0.63 of the Apache HTTP
    Server ("Apache").  This Announcement notes the significant changes in
-   2.0.61 as compared to 2.0.59 (there was no 2.0.60).
+   2.0.63 as compared to 2.0.61 (2.0.62 was not released).
    This Announcement2.0 document may also be
    available in multiple languages at:</p>
 
@@ -34,29 +34,17 @@
 
 <ul>
 <li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847">CVE-2007-3847:</a>
-     mod_proxy: Prevent reading past the end of a buffer when parsing
-     date-related headers.  PR 41144.
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388">CVE-2007-6388:</a>
+mod_status: Ensure refresh parameter is numeric to prevent
+       a possible XSS attack caused by redirecting to other URLs. 
+       Reported by SecurityReason.
 </li>
 
 <li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863">CVE-2007-1863:</a>
-     mod_cache: Prevent segmentation fault if a Cache-Control header has
-     no value.
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000">CVE-2007-5000:</a>
+mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
 </li>
 
-<li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752">CVE-2006-5752:</a>
-     mod_status: Fix a possible XSS attack against a site with a public
-     server-status page and ExtendedStatus enabled, for browsers which
-     perform charset "detection".  Reported by Stefan Esser.
-</li>
-
-<li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304">CVE-2007-3304:</a>
-     prefork, worker MPMs: Ensure that the parent process cannot
-     be forced to kill processes outside its process group. 
-</li>
 </ul>
 
 <p>This release is compatible with modules compiled for 2.0.42 and
@@ -65,20 +53,20 @@
    upgrade.</p>
 
 <p>This release includes the Apache Portable Runtime library suite
-   release version 0.9.16, bundled with the tar and zip distributions.
+   release version 0.9.17, bundled with the tar and zip distributions.
    These libraries; libapr, libaprutil, and on Win32, libapriconv must
    all be updated to ensure binary compatibility and address many
    known platform bugs.</p>
 
-<p>Apache HTTP Server 2.0.61 is available for download from</p>
+<p>Apache HTTP Server 2.0.63 is available for download from</p>
 <dl>
   <dd><a href="http://httpd.apache.org/download.cgi"
         >http://httpd.apache.org/download.cgi</a></dd>
 </dl>
 
 <p>Please see the CHANGES_2.0 file, linked from the above page, for
-   a full list of changes.  A condensed list, CHANGES_2.0.61 provides
-   the complete list of changes since 2.0.59.</p>
+   a full list of changes.  A condensed list, CHANGES_2.0.63 provides
+   the complete list of changes since 2.0.61.</p>
    
 <p>Apache 2.0 offers numerous enhancements, improvements, and performance
    boosts over the 1.3 codebase.  For an overview of new features introduced
@@ -104,7 +92,7 @@
 </dl>
 
 <p>We consider Apache 2.2 to be the best available version at the time of
-   this release.  We offer Apache 2.0.61 as the best legacy version of Apache
+   this release.  We offer Apache 2.0.63 as the best legacy version of Apache
    2.0 available. Users should first consider upgrading to the current release
    of Apache 2.2 instead.</p>
 

Modified: httpd/site/trunk/dist/Announcement2.0.txt
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.0.txt?rev=612139&r1=612138&r2=612139&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement2.0.txt (original)
+++ httpd/site/trunk/dist/Announcement2.0.txt Tue Jan 15 07:43:06 2008
@@ -1,34 +1,25 @@
-                       Apache HTTP Server 2.0.61 Released
+                       Apache HTTP Server 2.0.63 Released
 
    The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the legacy release of version 2.0.61 of the Apache
+   pleased to announce the legacy release of version 2.0.63 of the Apache
    HTTP Server ("Apache"). This Announcement notes the significant changes in
-   2.0.61 as compared to 2.0.59 (there was no 2.0.60). This Announcement2.0
-   document may also be available in multiple languages at:
+   2.0.63 as compared to 2.0.61 (2.0.62 was not released). This
+   Announcement2.0 document may also be available in multiple languages at:
 
            http://www.apache.org/dist/httpd/
 
    This version of Apache is principally a bug and security fix release. The
    following potential security flaws are addressed:
 
-     * CVE-2007-3847 (cve.mitre.org)
-       mod_proxy: Prevent reading past the end of a buffer when parsing
-       date-related headers.  PR 41144.
-
-    * CVE-2007-1863 (cve.mitre.org)
-       mod_cache: Prevent segmentation fault if a Cache-Control header has
-       no value.
-
-    * CVE-2006-5752 (cve.mitre.org)
-       mod_status: Fix a possible XSS attack against a site with a public
-      server-status page and ExtendedStatus enabled, for browsers which
-       perform charset "detection".  Reported by Stefan Esser.
-
-    * CVE-2007-3304 (cve.mitre.org)
-       prefork, worker MPMs: Ensure that the parent process cannot
-       be forced to kill processes outside its process group. 
+     * CVE-2007-6388 (cve.mitre.org)
+       mod_status: Ensure refresh parameter is numeric to prevent
+       a possible XSS attack caused by redirecting to other URLs. 
+       Reported by SecurityReason.
 
-   Please see the CHANGES_2.0.61 file in this directory for a full list
+     * CVE-2007-5000 (cve.mitre.org)
+       mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
+
+   Please see the CHANGES_2.0.63 file in this directory for a full list
    of changes for this version.
 
    This release is compatible with modules compiled for 2.0.42 and later
@@ -36,18 +27,18 @@
    available and encourage users of all prior versions to upgrade.
 
    This release includes the Apache Portable Runtime library suite release
-   version 0.9.16, bundled with the tar and zip distributions. These
+   version 0.9.17, bundled with the tar and zip distributions. These
    libraries; libapr, libaprutil, and on Win32, libapriconv must all be
    updated to ensure binary compatibility and address many known platform
    bugs.
 
-   Apache HTTP Server 2.0.61 is available for download from
+   Apache HTTP Server 2.0.63 is available for download from
 
            http://httpd.apache.org/download.cgi
 
    Please see the CHANGES_2.0 file, linked from the above page, for a full
-   list of changes. A condensed list, CHANGES_2.0.61 provides the complete
-   list of changes since 2.0.59.
+   list of changes. A condensed list, CHANGES_2.0.63 provides the complete
+   list of changes since 2.0.61.
 
    Apache 2.0 offers numerous enhancements, improvements, and performance
    boosts over the 1.3 codebase. For an overview of new features introduced
@@ -68,7 +59,7 @@
            http://httpd.apache.org/docs/2.2/new_features_2_2.html
 
    We consider Apache 2.2 to be the best available version at the time of
-   this release. We offer Apache 2.0.61 as the best legacy version of Apache
+   this release. We offer Apache 2.0.63 as the best legacy version of Apache
    2.0 available. Users should first consider upgrading to the current
    release of Apache 2.2 instead.
 

Modified: httpd/site/trunk/dist/Announcement2.2.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.2.html?rev=612139&r1=612138&r2=612139&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement2.2.html (original)
+++ httpd/site/trunk/dist/Announcement2.2.html Tue Jan 15 07:43:06 2008
@@ -14,10 +14,10 @@
 >
 <img src="../../images/apache_sub.gif" alt="">
 
-<h1>Apache HTTP Server 2.2.6 Released</h1>
+<h1>Apache HTTP Server 2.2.8 Released</h1>
 
 <p>The Apache Software Foundation and the Apache HTTP Server Project are
-pleased to announce the release of version 2.2.6 of the Apache HTTP Server
+pleased to announce the release of version 2.2.8 of the Apache HTTP Server
 ("Apache").</p>
 
 <p>This version of Apache is principally a bug and security fix release.
@@ -26,34 +26,29 @@
 
 <ul>
 <li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847">CVE-2007-3847:</a>
-     mod_proxy: Prevent reading past the end of a buffer when parsing
-     date-related headers.  PR 41144.
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6421">CVE-2007-6421:</a>
+ mod_proxy_balancer: Correctly escape the worker route and the worker
+ redirect string in the HTML output of the balancer manager.
+ Reported by SecurityReason.
 </li>
 
 <li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863">CVE-2007-1863:</a>
-     mod_cache: Prevent a segmentation fault if attributes are listed in a 
-     Cache-Control header without any value. 
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6422">CVE-2007-6422:</a>
+ Prevent crash in balancer manager if invalid balancer name is passed
+ as parameter. Reported by SecurityReason. 
 </li>
 
 <li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304">CVE-2007-3304:</a>
-     prefork, worker, event MPMs: Ensure that the parent process cannot
-     be forced to kill processes outside its process group. 
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388">CVE-2007-6388:</a>
+ mod_status: Ensure refresh parameter is numeric to prevent
+ a possible XSS attack caused by redirecting to other URLs.
+ Reported by SecurityReason. 
 </li>
 <li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752">CVE-2006-5752:</a>
-     mod_status: Fix a possible XSS attack against a site with a public
-     server-status page and ExtendedStatus enabled, for browsers which
-     perform charset "detection".  Reported by Stefan Esser.
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000 ">CVE-2007-5000 :</a>
+ mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
 </li>
 
-<li><a
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1862">CVE-2007-1862:</a>
-     mod_mem_cache: Copy headers into longer lived storage; header names and
-     values could previously point to cleaned up storage.  PR 41551.
-</li>
 </ul>
 
 <p>
@@ -61,7 +56,7 @@
 encourage users of all prior versions to upgrade.
 </p>
 
-<p>Apache HTTP Server 2.2.6 is available for download from:</p>
+<p>Apache HTTP Server 2.2.8 is available for download from:</p>
 <dl>
   <dd><a href="http://httpd.apache.org/download.cgi"
               >http://httpd.apache.org/download.cgi</a></dd>
@@ -80,10 +75,10 @@
 
 <p>
 Please see the CHANGES_2.2 file, linked from the download page, for a
-full list of changes.  A condensed list, CHANGES_2.2.6 provides the
-complete list of changes since 2.2.4 (there was no 2.2.5).
+full list of changes.  A condensed list, CHANGES_2.2.8 provides the
+complete list of changes since 2.2.6 (2.2.7 was not released).
 A summary of security vulnerabilities
-which were  addressed in the previous 2.2.4 and earlier releases is available:
+which were  addressed in the previous 2.2.6 and earlier releases is available:
 <dl>
   <dd><a href="http://httpd.apache.org/security/vulnerabilities_22.html"
               >http://httpd.apache.org/security/vulnerabilities_22.html</a>
@@ -91,7 +86,7 @@
 </p>
 
 <p>
-Apache HTTP Server 1.3.39 and 2.0.61 legacy releases are also currently
+Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also currently
 available.  See the corresponding CHANGES files linked from the download page.
 The Apache HTTP Project developers strongly encourage all users to migrate 
 to  Apache 2.2, as only limited maintenance is performed for these legacy 
@@ -100,7 +95,7 @@
 
 <p>
 This release includes the <a href="http://apr.apache.org/"
->Apache Portable Runtime</a> (APR) version 1.2.11
+>Apache Portable Runtime</a> (APR) version 1.2.12
 bundled with the tar and zip distributions.  The APR libraries libapr and
 libaprutil (and on Win32, libapriconv) must all be updated to ensure
 binary compatibility and address many known platform bugs.

Modified: httpd/site/trunk/dist/Announcement2.2.txt
URL: http://svn.apache.org/viewvc/httpd/site/trunk/dist/Announcement2.2.txt?rev=612139&r1=612138&r2=612139&view=diff
==============================================================================
--- httpd/site/trunk/dist/Announcement2.2.txt (original)
+++ httpd/site/trunk/dist/Announcement2.2.txt Tue Jan 15 07:43:06 2008
@@ -1,35 +1,31 @@
-                       Apache HTTP Server 2.2.6 Released
+                       Apache HTTP Server 2.2.8 Released
 
    The Apache Software Foundation and the Apache HTTP Server Project are
-   pleased to announce the release of version 2.2.6 of the Apache HTTP Server
+   pleased to announce the release of version 2.2.8 of the Apache HTTP Server
    ("Apache").  This version of Apache is principally a bug and security fix
    release. The following potential security flaws are addressed:
 
-     * CVE-2007-3847 (cve.mitre.org)
-       mod_proxy: Prevent reading past the end of a buffer when parsing
-       date-related headers.  PR 41144.
-
-     * CVE-2007-1863 (cve.mitre.org)
-       mod_cache: Prevent a segmentation fault if attributes are listed in a 
-       Cache-Control header without any value. 
-
-     * CVE-2007-3304 (cve.mitre.org)
-       prefork, worker, event MPMs: Ensure that the parent process cannot
-       be forced to kill processes outside its process group. 
-
-     * CVE-2006-5752 (cve.mitre.org)
-       mod_status: Fix a possible XSS attack against a site with a public
-       server-status page and ExtendedStatus enabled, for browsers which
-       perform charset "detection".  Reported by Stefan Esser.
-
-     * CVE-2007-1862 (cve.mitre.org)
-       mod_mem_cache: Copy headers into longer lived storage; header names and
-       values could previously point to cleaned up storage.  PR 41551.
+     * CVE-2007-6421 (cve.mitre.org)
+       mod_proxy_balancer: Correctly escape the worker route and the worker
+       redirect string in the HTML output of the balancer manager.
+       Reported by SecurityReason.
+
+     * CVE-2007-6422 (cve.mitre.org)
+       Prevent crash in balancer manager if invalid balancer name is passed
+       as parameter. Reported by SecurityReason.
+
+     * CVE-2007-6388 (cve.mitre.org)
+       mod_status: Ensure refresh parameter is numeric to prevent
+       a possible XSS attack caused by redirecting to other URLs.
+       Reported by SecurityReason.
+
+     * CVE-2007-5000 (cve.mitre.org)
+       mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
 
    We consider this release to be the best version of Apache available, and
    encourage users of all prior versions to upgrade.
 
-   Apache HTTP Server 2.2.6 is available for download from:
+   Apache HTTP Server 2.2.8 is available for download from:
 
      http://httpd.apache.org/download.cgi
 
@@ -40,21 +36,21 @@
      http://httpd.apache.org/docs/2.2/new_features_2_2.html
 
    Please see the CHANGES_2.2 file, linked from the download page, for a
-   full list of changes.  A condensed list, CHANGES_2.2.6 provides the
-   complete list of changes since 2.2.4 (there was no 2.2.5). A summary
+   full list of changes.  A condensed list, CHANGES_2.2.8 provides the
+   complete list of changes since 2.2.6 (2.2.7 was not released). A summary
    of security vulnerabilities which were addressed in the previous 2.2.6
    and earlier releases is available:
    
      http://httpd.apache.org/security/vulnerabilities_22.html
 
-   Apache HTTP Server 1.3.39 and 2.0.61 legacy releases are also currently 
+   Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also currently 
    available.  See the appropriate CHANGES from the url above.  See the 
    corresponding CHANGES files linked from the download page.  The Apache 
    HTTP Project developers strongly encourage all users to migrate to 
    Apache 2.2, as only limited maintenance is performed on these legacy 
    versions.
 
-   This release includes the Apache Portable Runtime (APR) version 1.2.11
+   This release includes the Apache Portable Runtime (APR) version 1.2.12
    bundled with the tar and zip distributions.  The APR libraries libapr
    and libaprutil (and on Win32, libapriconv) must all be updated to ensure
    binary compatibility and address many known platform bugs.



Mime
View raw message