httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r5859 - in /dev/httpd: Announcement2.4.html Announcement2.4.txt
Date Tue, 15 Jul 2014 17:27:19 GMT
Author: jim
Date: Tue Jul 15 17:27:19 2014
New Revision: 5859

Log:
draft of announcements

Modified:
    dev/httpd/Announcement2.4.html
    dev/httpd/Announcement2.4.txt

Modified: dev/httpd/Announcement2.4.html
==============================================================================
--- dev/httpd/Announcement2.4.html (original)
+++ dev/httpd/Announcement2.4.html Tue Jul 15 17:27:19 2014
@@ -15,12 +15,12 @@
 <img src="../../images/apache_sub.gif" alt="" />
 
 <h1>
-                       Apache HTTP Server 2.4.9 Released
+                       Apache HTTP Server 2.4.10 Released
 </h1>
 <p>
    The Apache Software Foundation and the Apache HTTP Server Project are
    pleased to <a href="http://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
-   the release of version 2.4.9 of the Apache
+   the release of version 2.4.10 of the Apache
    HTTP Server ("Apache").  This version of Apache is our latest GA
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of
@@ -29,16 +29,33 @@
    and bug fix release.
 </p>
 <ul>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098">CVE-2014-0098</a>
-     Segfaults with truncated cookie logging.
-     mod_log_config: Prevent segfaults when logging truncated
-     cookies. Clean up the cookie logging parser to recognize
-     only the cookie=value pairs, not valueless cookies.
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117">CVE-2014-0117</a>
+     mod_proxy: Fix crash in Connection header handling which 
+     allowed a denial of service attack against a reverse proxy
+     with a threaded MPM.
 </li>
-<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438">CVE-2013-6438</a>
-     mod_dav: Keep track of length of cdata properly when removing
-     leading spaces. Eliminates a potential denial of service from
-     specifically crafted DAV WRITE requests
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3523">CVE-2014-3523</a>
+     Fix a memory consumption denial of service in the WinNT MPM (used in all Windows
+     installations). Workaround: AcceptFilter <protocol> {none|connect}
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226">CVE-2014-0226</a>
+     Fix a race condition in scoreboard handling, which could lead to
+     a heap buffer overflow.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118">CVE-2014-0118</a>
+     mod_deflate: The DEFLATE input filter (inflates request bodies) now
+     limits the length and compression ratio of inflated request bodies to avoid
+     denial of sevice via highly compressed bodies.  See directives
+     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
+     and DeflateInflateRatioBurst.
+</li>
+<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231">CVE-2014-0231</a>
+     mod_cgid: Fix a denial of service against CGI scripts that do
+     not consume stdin that could lead to lingering HTTPD child processes
+     filling up the scoreboard and eventually hanging the server.  By
+     default, the client I/O timeout (Timeout directive) now applies to
+     communication with scripts.  The CGIDScriptTimeout directive can be
+     used to set a different timeout for communication with scripts.
 </li>
 </ul>
 <p>
@@ -54,11 +71,10 @@
 </ul>
 <p>
    We consider this release to be the best version of Apache available, and
-   encourage users of all prior versions to upgrade. [NOTE: 2.4.8 was not
-   released.]
+   encourage users of all prior versions to upgrade.
 </p>
 <p>
-   Apache HTTP Server 2.4.9 is available for download from:
+   Apache HTTP Server 2.4.10 is available for download from:
 </p>
 <dl>
   <dd><a href="http://httpd.apache.org/download.cgi"
@@ -66,7 +82,7 @@
 </dl>
 <p>
    Please see the CHANGES_2.4 file, linked from the download page, for a
-   full list of changes.  A condensed list, CHANGES_2.4.9 includes only
+   full list of changes.  A condensed list, CHANGES_2.4.10 includes only
    those changes introduced since the prior 2.4 release.  A summary of all 
    of the security vulnerabilities addressed in this and earlier releases 
    is available:

Modified: dev/httpd/Announcement2.4.txt
==============================================================================
--- dev/httpd/Announcement2.4.txt (original)
+++ dev/httpd/Announcement2.4.txt Tue Jul 15 17:27:19 2014
@@ -1,23 +1,40 @@
-                Apache HTTP Server 2.4.9 Released
+                Apache HTTP Server 2.4.10 Released
 
    The Apache Software Foundation and the Apache HTTP Server Project
-   are pleased to announce the release of version 2.4.9 of the Apache
+   are pleased to announce the release of version 2.4.10 of the Apache
    HTTP Server ("Apache").  This version of Apache is our latest GA
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of innovation by the project, and is
    recommended over all previous releases. This release of Apache is
    principally a security, feature and bug fix release.
 
-   CVE-2014-0098 (cve.mitre.org)
-     Segfaults with truncated cookie logging.
-     mod_log_config: Prevent segfaults when logging truncated
-     cookies. Clean up the cookie logging parser to recognize
-     only the cookie=value pairs, not valueless cookies.
-
-   CVE-2013-6438 (cve.mitre.org)
-     mod_dav: Keep track of length of cdata properly when removing
-     leading spaces. Eliminates a potential denial of service from
-     specifically crafted DAV WRITE requests
+    CVE-2014-0117 (cve.mitre.org)
+     mod_proxy: Fix crash in Connection header handling which 
+     allowed a denial of service attack against a reverse proxy
+     with a threaded MPM.
+
+    CVE-2014-3523 (cve.mitre.org)
+     Fix a memory consumption denial of service in the WinNT MPM (used in all Windows
+     installations). Workaround: AcceptFilter <protocol> {none|connect}
+
+    CVE-2014-0226 (cve.mitre.org)
+     Fix a race condition in scoreboard handling, which could lead to
+     a heap buffer overflow.
+
+    CVE-2014-0118 (cve.mitre.org)
+     mod_deflate: The DEFLATE input filter (inflates request bodies) now
+     limits the length and compression ratio of inflated request bodies to avoid
+     denial of sevice via highly compressed bodies.  See directives
+     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
+     and DeflateInflateRatioBurst.
+
+    CVE-2014-0231 (cve.mitre.org)
+     mod_cgid: Fix a denial of service against CGI scripts that do
+     not consume stdin that could lead to lingering HTTPD child processes
+     filling up the scoreboard and eventually hanging the server.  By
+     default, the client I/O timeout (Timeout directive) now applies to
+     communication with scripts.  The CGIDScriptTimeout directive can be
+     used to set a different timeout for communication with scripts.
 
    Also in this release are some exciting new features including:
 
@@ -29,10 +46,9 @@
        DirectoryMatch, FilesMatch and ProxyMatch directives.
 
    We consider this release to be the best version of Apache available, and
-   encourage users of all prior versions to upgrade. [NOTE: 2.4.8 was not
-   released.]
+   encourage users of all prior versions to upgrade.
 
-   Apache HTTP Server 2.4.9 is available for download from:
+   Apache HTTP Server 2.4.10 is available for download from:
 
      http://httpd.apache.org/download.cgi
 
@@ -43,7 +59,7 @@
      http://httpd.apache.org/docs/trunk/new_features_2_4.html
 
    Please see the CHANGES_2.4 file, linked from the download page, for a
-   full list of changes. A condensed list, CHANGES_2.4.9 includes only
+   full list of changes. A condensed list, CHANGES_2.4.10 includes only
    those changes introduced since the prior 2.4 release.  A summary of all 
    of the security vulnerabilities addressed in this and earlier releases 
    is available:



Mime
View raw message