httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r20381 - /release/httpd/
Date Sun, 09 Jul 2017 18:10:22 GMT
Author: jim
Date: Sun Jul  9 18:10:21 2017
New Revision: 20381

Log:
Copy release tarballs for mirror pickup

Added:
    release/httpd/CHANGES_2.4.27
    release/httpd/httpd-2.4.27.tar.bz2   (with props)
    release/httpd/httpd-2.4.27.tar.bz2.asc   (with props)
    release/httpd/httpd-2.4.27.tar.bz2.md5
    release/httpd/httpd-2.4.27.tar.bz2.sha1
    release/httpd/httpd-2.4.27.tar.bz2.sha256
    release/httpd/httpd-2.4.27.tar.gz   (with props)
    release/httpd/httpd-2.4.27.tar.gz.asc   (with props)
    release/httpd/httpd-2.4.27.tar.gz.md5
    release/httpd/httpd-2.4.27.tar.gz.sha1
    release/httpd/httpd-2.4.27.tar.gz.sha256
Modified:
    release/httpd/CHANGES_2.4
    release/httpd/CHANGES_2.4.26

Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Sun Jul  9 18:10:21 2017
@@ -1,7 +1,66 @@
                                                          -*- coding: utf-8 -*-
 
+Changes with Apache 2.4.27
+
+  *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
+     global variable when using Lua 5.2 or later. This was exported as a
+     side effect from luaL_register, which is no longer supported as of
+     Lua 5.2 which deprecates pollution of the global namespace.
+     [Rainer Jung]
+
+  *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
+     The server will continue to run, but HTTP/2 will no longer be negotiated.
+     [Stefan Eissing]
+
+  *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
+     default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
+     [Jacob Champion, Jim Jagielski]
+
+  *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
+     PR58188, PR60831, PR61245. [Rainer Jung]
+  
+  *) mod_http2: Simplify ready queue, less memory and better performance. Update
+     mod_http2 version to 1.10.7. [Stefan Eissing]
+  
+  *) Allow single-char field names inadvertently disallowed in 2.4.25.
+     PR 61220. [Yann Ylavic]
+
+  *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
+     passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]
+
+  *) core: Avoid duplicate HEAD in Allow header.
+     This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
+     PR 61207. [Christophe Jaillet]
+
 Changes with Apache 2.4.26
 
+  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+     mod_mime can read one byte past the end of a buffer when sending a
+     malicious Content-Type response header.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+     bug in token list parsing, which allows ap_find_token() to search past
+     the end of its input string. By maliciously crafting a sequence of
+     request headers, an attacker may be able to cause a segmentation fault,
+     or to force ap_find_token() to return an incorrect value.
+     [Jacob Champion]
+
+  *) SECURITY: CVE-2017-7659 (cve.mitre.org)
+     A maliciously constructed HTTP/2 request could cause mod_http2 to
+     dereference a NULL pointer and crash the server process.
+
+  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+     mod_ssl may dereference a NULL pointer when third-party modules call
+     ap_hook_process_connection() during an HTTP request to an HTTPS port.
+     [Yann Ylavic]
+
+  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
+     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+     authentication phase may lead to authentication requirements being
+     bypassed.
+     [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
   *) HTTP/2 support no longer tagged as "experimental" but is instead considered
      fully production ready.
 
@@ -9,8 +68,6 @@ Changes with Apache 2.4.26
      the session in continuous check for state changes that never happen. 
      [Stefan Eissing]
 
-  *) mod_mime: Fix error checking for quoted pairs.  [Yann Ylavic]
-
   *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
      protocols.  [Jean-Frederic Clere]
 
@@ -18,10 +75,6 @@ Changes with Apache 2.4.26
      a possible crash if a signal is caught during (graceful) restart.
      PR 60487.  [Yann Ylavic]
 
-  *) core: Deprecate ap_get_basic_auth_pw() and add
-     ap_get_basic_auth_components().
-     [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
-
   *) mod_rewrite: When a substitution is a fully qualified URL, and the 
      scheme/host/port matches the current virtual host, stop interpreting the 
      path component as a local path just because the first component of the 
@@ -38,9 +91,6 @@ Changes with Apache 2.4.26
   *) core: EBCDIC fixes for interim responses with additional headers.
      [Eric Covener]
 
-  *) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
-     to ssl_io_filter_error(). [Yann Ylavic]
-
   *) mod_env: when processing a 'SetEnv' directive, warn if the environment
      variable name includes a '='. It is likely a configuration error.
      PR 60249 [Christophe Jaillet]
@@ -122,11 +172,6 @@ Changes with Apache 2.4.26
      variables just before invoking the FastCGI. [Eric Covener,
      Jacob Champion]
 
-  *) mod_proxy: Allow the per-request environment variable "no-proxy" to
-     be used as an alternative to ProxyPass /path !. This is primarily
-     to set exceptions for ProxyPass specified in <Location> context.
-    Use SetEnvIf, not SetEnv. [Eric Covener]
-
   *) mod_proxy_fcgi: Return to 2.4.20-and-earlier behavior of leaving
      a "proxy:fcgi://" prefix in the SCRIPT_FILENAME environment variable by
      default.  Add ProxyFCGIBackendType to allow the type of backend to be

Modified: release/httpd/CHANGES_2.4.26
==============================================================================
--- release/httpd/CHANGES_2.4.26 (original)
+++ release/httpd/CHANGES_2.4.26 Sun Jul  9 18:10:21 2017
@@ -2,6 +2,30 @@
 
 Changes with Apache 2.4.26
 
+  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+     mod_mime can read one byte past the end of a buffer when sending a
+     malicious Content-Type response header.
+
+  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+     bug in token list parsing, which allows ap_find_token() to search past
+     the end of its input string. By maliciously crafting a sequence of
+     request headers, an attacker may be able to cause a segmentation fault,
+     or to force ap_find_token() to return an incorrect value.
+
+  *) SECURITY: CVE-2017-7659 (cve.mitre.org)
+     A maliciously constructed HTTP/2 request could cause mod_http2 to
+     dereference a NULL pointer and crash the server process.
+
+  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+     mod_ssl may dereference a NULL pointer when third-party modules call
+     ap_hook_process_connection() during an HTTP request to an HTTPS port.
+
+  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
+     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+     authentication phase may lead to authentication requirements being
+     bypassed.
+
   *) HTTP/2 support no longer tagged as "experimental" but is instead considered
      fully production ready.
 

Added: release/httpd/CHANGES_2.4.27
==============================================================================
--- release/httpd/CHANGES_2.4.27 (added)
+++ release/httpd/CHANGES_2.4.27 Sun Jul  9 18:10:21 2017
@@ -0,0 +1,47 @@
+                                                         -*- coding: utf-8 -*-
+
+Changes with Apache 2.4.27
+
+  *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
+     global variable when using Lua 5.2 or later. This was exported as a
+     side effect from luaL_register, which is no longer supported as of
+     Lua 5.2 which deprecates pollution of the global namespace.
+     [Rainer Jung]
+
+  *) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
+     The server will continue to run, but HTTP/2 will no longer be negotiated.
+     [Stefan Eissing]
+
+  *) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
+     default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
+     [Jacob Champion, Jim Jagielski]
+
+  *) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
+     PR58188, PR60831, PR61245. [Rainer Jung]
+  
+  *) mod_http2: Simplify ready queue, less memory and better performance. Update
+     mod_http2 version to 1.10.7. [Stefan Eissing]
+  
+  *) Allow single-char field names inadvertently disallowed in 2.4.25.
+     PR 61220. [Yann Ylavic]
+
+  *) htpasswd / htdigest: Do not apply the strict permissions of the temporary
+     passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]
+
+  *) core: Avoid duplicate HEAD in Allow header.
+     This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
+     PR 61207. [Christophe Jaillet]
+
+
+
+  [Apache 2.3.0-dev includes those bug fixes and changes with the
+   Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+  *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+  *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
+

Added: release/httpd/httpd-2.4.27.tar.bz2
==============================================================================
Binary file - no diff available.

Propchange: release/httpd/httpd-2.4.27.tar.bz2
------------------------------------------------------------------------------
    svn:mime-type = application/x-bzip2

Added: release/httpd/httpd-2.4.27.tar.bz2.asc
==============================================================================
Binary file - no diff available.

Propchange: release/httpd/httpd-2.4.27.tar.bz2.asc
------------------------------------------------------------------------------
    svn:mime-type = application/pgp-signature

Added: release/httpd/httpd-2.4.27.tar.bz2.md5
==============================================================================
--- release/httpd/httpd-2.4.27.tar.bz2.md5 (added)
+++ release/httpd/httpd-2.4.27.tar.bz2.md5 Sun Jul  9 18:10:21 2017
@@ -0,0 +1 @@
+97b6bbfa83c866dbe20ef317e3afd108 *httpd-2.4.27.tar.bz2

Added: release/httpd/httpd-2.4.27.tar.bz2.sha1
==============================================================================
--- release/httpd/httpd-2.4.27.tar.bz2.sha1 (added)
+++ release/httpd/httpd-2.4.27.tar.bz2.sha1 Sun Jul  9 18:10:21 2017
@@ -0,0 +1 @@
+699e4e917e8fb5fd7d0ce7e009f8256ed02ec6fc *httpd-2.4.27.tar.bz2

Added: release/httpd/httpd-2.4.27.tar.bz2.sha256
==============================================================================
--- release/httpd/httpd-2.4.27.tar.bz2.sha256 (added)
+++ release/httpd/httpd-2.4.27.tar.bz2.sha256 Sun Jul  9 18:10:21 2017
@@ -0,0 +1 @@
+71fcc128238a690515bd8174d5330a5309161ef314a326ae45c7c15ed139c13a *httpd-2.4.27.tar.bz2

Added: release/httpd/httpd-2.4.27.tar.gz
==============================================================================
Binary file - no diff available.

Propchange: release/httpd/httpd-2.4.27.tar.gz
------------------------------------------------------------------------------
    svn:mime-type = application/x-gzip

Added: release/httpd/httpd-2.4.27.tar.gz.asc
==============================================================================
Binary file - no diff available.

Propchange: release/httpd/httpd-2.4.27.tar.gz.asc
------------------------------------------------------------------------------
    svn:mime-type = application/pgp-signature

Added: release/httpd/httpd-2.4.27.tar.gz.md5
==============================================================================
--- release/httpd/httpd-2.4.27.tar.gz.md5 (added)
+++ release/httpd/httpd-2.4.27.tar.gz.md5 Sun Jul  9 18:10:21 2017
@@ -0,0 +1 @@
+33c2543e6d337d6bbf50f18cfb318ce7 *httpd-2.4.27.tar.gz

Added: release/httpd/httpd-2.4.27.tar.gz.sha1
==============================================================================
--- release/httpd/httpd-2.4.27.tar.gz.sha1 (added)
+++ release/httpd/httpd-2.4.27.tar.gz.sha1 Sun Jul  9 18:10:21 2017
@@ -0,0 +1 @@
+c0f1b57a70db4843bb1c774b6cc04e169629403c *httpd-2.4.27.tar.gz

Added: release/httpd/httpd-2.4.27.tar.gz.sha256
==============================================================================
--- release/httpd/httpd-2.4.27.tar.gz.sha256 (added)
+++ release/httpd/httpd-2.4.27.tar.gz.sha256 Sun Jul  9 18:10:21 2017
@@ -0,0 +1 @@
+346dd3d016ae5d7101016e68805150bdce9040a8d246c289aa70e68a7cd86b66 *httpd-2.4.27.tar.gz



Mime
View raw message