httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r20179 - /dev/httpd/
Date Fri, 23 Jun 2017 22:13:40 GMT
Author: wrowe
Date: Fri Jun 23 22:13:40 2017
New Revision: 20179

Log:
Stage 2.2.33 for review

Added:
    dev/httpd/CHANGES_2.2.33
    dev/httpd/httpd-2.2.33-win32-src.zip   (with props)
    dev/httpd/httpd-2.2.33-win32-src.zip.asc   (with props)
    dev/httpd/httpd-2.2.33-win32-src.zip.md5
    dev/httpd/httpd-2.2.33-win32-src.zip.sha1
    dev/httpd/httpd-2.2.33-win32-src.zip.sha256
    dev/httpd/httpd-2.2.33.tar.bz2   (with props)
    dev/httpd/httpd-2.2.33.tar.bz2.asc   (with props)
    dev/httpd/httpd-2.2.33.tar.bz2.md5
    dev/httpd/httpd-2.2.33.tar.bz2.sha1
    dev/httpd/httpd-2.2.33.tar.bz2.sha256
    dev/httpd/httpd-2.2.33.tar.gz   (with props)
    dev/httpd/httpd-2.2.33.tar.gz.asc   (with props)
    dev/httpd/httpd-2.2.33.tar.gz.md5
    dev/httpd/httpd-2.2.33.tar.gz.sha1
    dev/httpd/httpd-2.2.33.tar.gz.sha256
Modified:
    dev/httpd/CHANGES_2.2

Modified: dev/httpd/CHANGES_2.2
==============================================================================
--- dev/httpd/CHANGES_2.2 (original)
+++ dev/httpd/CHANGES_2.2 Fri Jun 23 22:13:40 2017
@@ -1,4 +1,32 @@
                                                          -*- coding: utf-8 -*-
+Changes with Apache 2.2.33
+
+  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+     bug in token list parsing, which allows ap_find_token() to search past
+     the end of its input string. By maliciously crafting a sequence of
+     request headers, an attacker may be able to cause a segmentation fault,
+     or to force ap_find_token() to return an incorrect value.
+     [Jacob Champion]
+
+  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+     mod_ssl may dereference a NULL pointer when third-party modules call
+     ap_hook_process_connection() during an HTTP request to an HTTPS port.
+     [Yann Ylavic]
+
+  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
+     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+     authentication phase may lead to authentication requirements being
+     bypassed.
+     [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
+  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+     mod_mime can read one byte past the end of a buffer when sending a
+     malicious Content-Type response header.  [Yann Ylavic]
+  
+  *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
+     [Joe Orton]
+
 Changes with Apache 2.2.32
 
   *) SECURITY: CVE-2016-8743 (cve.mitre.org)

Added: dev/httpd/CHANGES_2.2.33
==============================================================================
--- dev/httpd/CHANGES_2.2.33 (added)
+++ dev/httpd/CHANGES_2.2.33 Fri Jun 23 22:13:40 2017
@@ -0,0 +1,29 @@
+                                                         -*- coding: utf-8 -*-
+Changes with Apache 2.2.33
+
+  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+     bug in token list parsing, which allows ap_find_token() to search past
+     the end of its input string. By maliciously crafting a sequence of
+     request headers, an attacker may be able to cause a segmentation fault,
+     or to force ap_find_token() to return an incorrect value.
+     [Jacob Champion]
+
+  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+     mod_ssl may dereference a NULL pointer when third-party modules call
+     ap_hook_process_connection() during an HTTP request to an HTTPS port.
+     [Yann Ylavic]
+
+  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
+     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+     authentication phase may lead to authentication requirements being
+     bypassed.
+     [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
+  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+     mod_mime can read one byte past the end of a buffer when sending a
+     malicious Content-Type response header.  [Yann Ylavic]
+  
+  *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
+     [Joe Orton]
+

Added: dev/httpd/httpd-2.2.33-win32-src.zip
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.2.33-win32-src.zip
------------------------------------------------------------------------------
    svn:mime-type = application/zip

Added: dev/httpd/httpd-2.2.33-win32-src.zip.asc
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.2.33-win32-src.zip.asc
------------------------------------------------------------------------------
    svn:mime-type = application/pgp-signature

Added: dev/httpd/httpd-2.2.33-win32-src.zip.md5
==============================================================================
--- dev/httpd/httpd-2.2.33-win32-src.zip.md5 (added)
+++ dev/httpd/httpd-2.2.33-win32-src.zip.md5 Fri Jun 23 22:13:40 2017
@@ -0,0 +1 @@
+9e366b0f60e7f89b5da7c7488b2ece5a  httpd-2.2.33-win32-src.zip

Added: dev/httpd/httpd-2.2.33-win32-src.zip.sha1
==============================================================================
--- dev/httpd/httpd-2.2.33-win32-src.zip.sha1 (added)
+++ dev/httpd/httpd-2.2.33-win32-src.zip.sha1 Fri Jun 23 22:13:40 2017
@@ -0,0 +1 @@
+0af4012e10f4a9c51affd0df8c224dd3ffc4e2bc  httpd-2.2.33-win32-src.zip

Added: dev/httpd/httpd-2.2.33-win32-src.zip.sha256
==============================================================================
--- dev/httpd/httpd-2.2.33-win32-src.zip.sha256 (added)
+++ dev/httpd/httpd-2.2.33-win32-src.zip.sha256 Fri Jun 23 22:13:40 2017
@@ -0,0 +1 @@
+d304879672bfc46dfee76e3a4a3efd258ce904b73f929a1f89a9455bcfeb46a1  httpd-2.2.33-win32-src.zip

Added: dev/httpd/httpd-2.2.33.tar.bz2
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.2.33.tar.bz2
------------------------------------------------------------------------------
    svn:mime-type = application/x-bzip2

Added: dev/httpd/httpd-2.2.33.tar.bz2.asc
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.2.33.tar.bz2.asc
------------------------------------------------------------------------------
    svn:mime-type = application/pgp-signature

Added: dev/httpd/httpd-2.2.33.tar.bz2.md5
==============================================================================
--- dev/httpd/httpd-2.2.33.tar.bz2.md5 (added)
+++ dev/httpd/httpd-2.2.33.tar.bz2.md5 Fri Jun 23 22:13:40 2017
@@ -0,0 +1 @@
+d5585a94da4a5fe825b5191aaceb9e86 *httpd-2.2.33.tar.bz2

Added: dev/httpd/httpd-2.2.33.tar.bz2.sha1
==============================================================================
--- dev/httpd/httpd-2.2.33.tar.bz2.sha1 (added)
+++ dev/httpd/httpd-2.2.33.tar.bz2.sha1 Fri Jun 23 22:13:40 2017
@@ -0,0 +1 @@
+01c90070196cb28dd29c0315305e02e5f76f53fb *httpd-2.2.33.tar.bz2

Added: dev/httpd/httpd-2.2.33.tar.bz2.sha256
==============================================================================
--- dev/httpd/httpd-2.2.33.tar.bz2.sha256 (added)
+++ dev/httpd/httpd-2.2.33.tar.bz2.sha256 Fri Jun 23 22:13:40 2017
@@ -0,0 +1 @@
+08a0c109f165d00e46e7e986c7e40620aee1fb038f10558812ca24c879eec5b2 *httpd-2.2.33.tar.bz2

Added: dev/httpd/httpd-2.2.33.tar.gz
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.2.33.tar.gz
------------------------------------------------------------------------------
    svn:mime-type = application/x-gzip

Added: dev/httpd/httpd-2.2.33.tar.gz.asc
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.2.33.tar.gz.asc
------------------------------------------------------------------------------
    svn:mime-type = application/pgp-signature

Added: dev/httpd/httpd-2.2.33.tar.gz.md5
==============================================================================
--- dev/httpd/httpd-2.2.33.tar.gz.md5 (added)
+++ dev/httpd/httpd-2.2.33.tar.gz.md5 Fri Jun 23 22:13:40 2017
@@ -0,0 +1 @@
+4c06fb41750ffecda5892e9a154d245d *httpd-2.2.33.tar.gz

Added: dev/httpd/httpd-2.2.33.tar.gz.sha1
==============================================================================
--- dev/httpd/httpd-2.2.33.tar.gz.sha1 (added)
+++ dev/httpd/httpd-2.2.33.tar.gz.sha1 Fri Jun 23 22:13:40 2017
@@ -0,0 +1 @@
+b7ffbcb6cfa65d5557ef670457dd9466ab509e79 *httpd-2.2.33.tar.gz

Added: dev/httpd/httpd-2.2.33.tar.gz.sha256
==============================================================================
--- dev/httpd/httpd-2.2.33.tar.gz.sha256 (added)
+++ dev/httpd/httpd-2.2.33.tar.gz.sha256 Fri Jun 23 22:13:40 2017
@@ -0,0 +1 @@
+8b181e0a9ccabe59b50623eca02bd34fcfd0ddb77f91f60eb0136f8a4f1a2e14 *httpd-2.2.33.tar.gz



Mime
View raw message