httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r21978 - /dev/httpd/
Date Mon, 25 Sep 2017 12:12:20 GMT
Author: jim
Date: Mon Sep 25 12:12:20 2017
New Revision: 21978

Log:
Commit test tarball distros for Apache httpd 2.4.28

Added:
    dev/httpd/CHANGES_2.4.28
    dev/httpd/httpd-2.4.28-deps.tar.bz2   (with props)
    dev/httpd/httpd-2.4.28-deps.tar.bz2.asc   (with props)
    dev/httpd/httpd-2.4.28-deps.tar.bz2.md5
    dev/httpd/httpd-2.4.28-deps.tar.bz2.sha1
    dev/httpd/httpd-2.4.28-deps.tar.bz2.sha256
    dev/httpd/httpd-2.4.28-deps.tar.gz   (with props)
    dev/httpd/httpd-2.4.28-deps.tar.gz.asc   (with props)
    dev/httpd/httpd-2.4.28-deps.tar.gz.md5
    dev/httpd/httpd-2.4.28-deps.tar.gz.sha1
    dev/httpd/httpd-2.4.28-deps.tar.gz.sha256
    dev/httpd/httpd-2.4.28.tar.bz2   (with props)
    dev/httpd/httpd-2.4.28.tar.bz2.asc   (with props)
    dev/httpd/httpd-2.4.28.tar.bz2.md5
    dev/httpd/httpd-2.4.28.tar.bz2.sha1
    dev/httpd/httpd-2.4.28.tar.bz2.sha256
    dev/httpd/httpd-2.4.28.tar.gz   (with props)
    dev/httpd/httpd-2.4.28.tar.gz.asc   (with props)
    dev/httpd/httpd-2.4.28.tar.gz.md5
    dev/httpd/httpd-2.4.28.tar.gz.sha1
    dev/httpd/httpd-2.4.28.tar.gz.sha256
Removed:
    dev/httpd/CHANGES_2.4.27
    dev/httpd/httpd-2.4.27-deps.tar.bz2
    dev/httpd/httpd-2.4.27-deps.tar.bz2.asc
    dev/httpd/httpd-2.4.27-deps.tar.bz2.md5
    dev/httpd/httpd-2.4.27-deps.tar.bz2.sha1
    dev/httpd/httpd-2.4.27-deps.tar.bz2.sha256
    dev/httpd/httpd-2.4.27-deps.tar.gz
    dev/httpd/httpd-2.4.27-deps.tar.gz.asc
    dev/httpd/httpd-2.4.27-deps.tar.gz.md5
    dev/httpd/httpd-2.4.27-deps.tar.gz.sha1
    dev/httpd/httpd-2.4.27-deps.tar.gz.sha256
    dev/httpd/httpd-2.4.27.tar.bz2
    dev/httpd/httpd-2.4.27.tar.bz2.asc
    dev/httpd/httpd-2.4.27.tar.bz2.md5
    dev/httpd/httpd-2.4.27.tar.bz2.sha1
    dev/httpd/httpd-2.4.27.tar.bz2.sha256
    dev/httpd/httpd-2.4.27.tar.gz
    dev/httpd/httpd-2.4.27.tar.gz.asc
    dev/httpd/httpd-2.4.27.tar.gz.md5
    dev/httpd/httpd-2.4.27.tar.gz.sha1
    dev/httpd/httpd-2.4.27.tar.gz.sha256
Modified:
    dev/httpd/Announcement2.4.html
    dev/httpd/Announcement2.4.txt
    dev/httpd/CHANGES_2.4

Modified: dev/httpd/Announcement2.4.html
==============================================================================
--- dev/httpd/Announcement2.4.html (original)
+++ dev/httpd/Announcement2.4.html Mon Sep 25 12:12:20 2017
@@ -49,7 +49,7 @@
 <div class="banner"></div>
 
 <h1>
-                       Apache HTTP Server 2.4.27 Released
+                       Apache HTTP Server 2.4.28 Released
 </h1>
 <p>
    XXXX XX, 2017
@@ -57,7 +57,7 @@
 <p>
    The Apache Software Foundation and the Apache HTTP Server Project are
    pleased to <a href="https://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
-   the release of version 2.4.27 of the Apache
+   the release of version 2.4.28 of the Apache
    HTTP Server ("Apache").  This version of Apache is our latest GA
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of innovation by the project, and is
@@ -69,7 +69,7 @@
    encourage users of all prior versions to upgrade.
 </p>
 <p>
-   Apache HTTP Server 2.4.27 is available for download from:
+   Apache HTTP Server 2.4.28 is available for download from:
 </p>
 <dl>
   <dd><a href="https://httpd.apache.org/download.cgi"
@@ -77,7 +77,7 @@
 </dl>
 <p>
    Please see the <a href="./CHANGES_2.4">CHANGES_2.4</a> file, linked from the
download page, for a
-   full list of changes.  A condensed list, <a href="./CHANGES_2.4.27">CHANGES_2.4.27</a>
includes only
+   full list of changes.  A condensed list, <a href="./CHANGES_2.4.28">CHANGES_2.4.28</a>
includes only
    those changes introduced since the prior 2.4 release.  A summary of all 
    of the security vulnerabilities addressed in this and earlier releases 
    is available:
@@ -88,13 +88,14 @@
   </dd>
 </dl>
 <p>
-   Of particular note in this release are 3 COMPATIBILITY items:
+   Of particular note in this release is 1 SECURITY item:
 </p>
 <ul>
-     <li>HTTP/2 will not be negotiated when using the Prefork MPM</li>
-     <li>FastCGI compatibility with PHP-FPM is fixed</li>
-     <li>mod_lua no longer exports the undocumented and unsupported
-       <code>apr_table</code> variable.</li>
+     <li>SECURITY: CVE-2017-9798 (cve.mitre.org).<br/>
+       Corrupted or freed memory access. &lt;Limit[Except]&gt; must now be used in
+       the main configuration file (httpd.conf) to register HTTP methods
+       before the .htaccess files.
+</li>
 </ul>
 <p>
    This release requires the Apache Portable Runtime (APR), minimum version

Modified: dev/httpd/Announcement2.4.txt
==============================================================================
--- dev/httpd/Announcement2.4.txt (original)
+++ dev/httpd/Announcement2.4.txt Mon Sep 25 12:12:20 2017
@@ -1,9 +1,9 @@
-                Apache HTTP Server 2.4.27 Released
+                Apache HTTP Server 2.4.28 Released
 
    XXXX XX, 2017
 
    The Apache Software Foundation and the Apache HTTP Server Project
-   are pleased to announce the release of version 2.4.27 of the Apache
+   are pleased to announce the release of version 2.4.28 of the Apache
    HTTP Server ("Apache").  This version of Apache is our latest GA
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of innovation by the project, and is
@@ -13,7 +13,7 @@
    We consider this release to be the best version of Apache available, and
    encourage users of all prior versions to upgrade.
 
-   Apache HTTP Server 2.4.27 is available for download from:
+   Apache HTTP Server 2.4.28 is available for download from:
 
      http://httpd.apache.org/download.cgi
 
@@ -24,19 +24,19 @@
      http://httpd.apache.org/docs/trunk/new_features_2_4.html
 
    Please see the CHANGES_2.4 file, linked from the download page, for a
-   full list of changes. A condensed list, CHANGES_2.4.27 includes only
+   full list of changes. A condensed list, CHANGES_2.4.28 includes only
    those changes introduced since the prior 2.4 release.  A summary of all 
    of the security vulnerabilities addressed in this and earlier releases 
    is available:
 
      http://httpd.apache.org/security/vulnerabilities_24.html
 
-   Of particular note in this release are 3 COMPATIBILITY items:
+   Of particular note in this release is 1 SECURITY :
 
-     o HTTP/2 will not be negotiated when using the Prefork MPM
-     o FastCGI compatibility with PHP-FPM is fixed
-     o mod_lua no longer exports the undocumented and unsupported
-       'apr_table' variable.
+     o SECURITY: CVE-2017-9798 (cve.mitre.org).
+       Corrupted or freed memory access. <Limit[Except]> must now be used in
+       the main configuration file (httpd.conf) to register HTTP methods
+       before the .htaccess files.
 
    This release requires the Apache Portable Runtime (APR), minimum
    version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may

Modified: dev/httpd/CHANGES_2.4
==============================================================================
--- dev/httpd/CHANGES_2.4 (original)
+++ dev/httpd/CHANGES_2.4 Mon Sep 25 12:12:20 2017
@@ -1,7 +1,71 @@
                                                          -*- coding: utf-8 -*-
+Changes with Apache 2.4.28
+
+  *) SECURITY: CVE-2017-9798 (cve.mitre.org)
+     Corrupted or freed memory access. <Limit[Except]> must now be used in the
+     main configuration file (httpd.conf) to register HTTP methods before the
+     .htaccess files.  [Yann Ylavic]
+
+  *) event: Avoid possible blocking in the listener thread when shutting down
+     connections. PR 60956.  [Yann Ylavic]
+
+  *) mod_speling: Don't embed referer data in a link in error page.
+     PR 38923 [Nick Kew]
+
+  *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
+     length in a password file.
+     [Luca Toscano, Hanno Böck <hanno hboeck de>]
+
+  *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
+     [Jim Jagielski]
+
+  *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
+     PR 61142.
+
+  *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
+     down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
+     's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
+
+  *) mod_http2: Fix for stalling when more than 32KB are written to a
+     suspended stream.  [Stefan Eissing]
+
+  *) build: allow configuration without APR sources.  [Jacob Champion]
+
+  *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
+     [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
+      Yann Ylavic]
+
+  *) core/log: Support use of optional "tag" in syslog entries.
+     PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
+
+  *) mod_proxy: Fix ProxyAddHeaders merging.  [Joe Orton]
+ 
+  *) core: Disallow multiple Listen on the same IP:port when listener buckets
+     are configured (ListenCoresBucketsRatio > 0), consistently with the single
+     bucket case (default), thus avoiding the leak of the corresponding socket
+     descriptors on graceful restart.  [Yann Ylavic]
+
+  *) event: Avoid listener periodic wake ups by using the pollset wake-ability
+     when available.  PR 57399.  [Yann Ylavic, Luca Toscano]
+
+  *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
+     led to spurious HTTP 502 error messages sent on upgrade connections.
+     PR 61283.  [Yann Ylavic]
 
 Changes with Apache 2.4.27
 
+  *) SECURITY: CVE-2017-9789 (cve.mitre.org)
+     mod_http2: Read after free. When under stress, closing many connections,
+     the HTTP/2 handling code would sometimes access memory after it has been
+     freed, resulting in potentially erratic behaviour.
+     [Stefan Eissing]
+
+  *) SECURITY: CVE-2017-9788 (cve.mitre.org)
+     mod_auth_digest: Uninitialized memory reflection.  The value placeholder
+     in [Proxy-]Authorization headers type 'Digest' was not initialized or
+     reset before or between successive key=value assignments.
+     [William Rowe]
+
   *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
      global variable when using Lua 5.2 or later. This was exported as a
      side effect from luaL_register, which is no longer supported as of

Added: dev/httpd/CHANGES_2.4.28
==============================================================================
--- dev/httpd/CHANGES_2.4.28 (added)
+++ dev/httpd/CHANGES_2.4.28 Mon Sep 25 12:12:20 2017
@@ -0,0 +1,66 @@
+                                                         -*- coding: utf-8 -*-
+Changes with Apache 2.4.28
+
+  *) SECURITY: CVE-2017-9798 (cve.mitre.org)
+     Corrupted or freed memory access. <Limit[Except]> must now be used in the
+     main configuration file (httpd.conf) to register HTTP methods before the
+     .htaccess files.  [Yann Ylavic]
+
+  *) event: Avoid possible blocking in the listener thread when shutting down
+     connections. PR 60956.  [Yann Ylavic]
+
+  *) mod_speling: Don't embed referer data in a link in error page.
+     PR 38923 [Nick Kew]
+
+  *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
+     length in a password file.
+     [Luca Toscano, Hanno Böck <hanno hboeck de>]
+
+  *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
+     [Jim Jagielski]
+
+  *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
+     PR 61142.
+
+  *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
+     down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
+     's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
+
+  *) mod_http2: Fix for stalling when more than 32KB are written to a
+     suspended stream.  [Stefan Eissing]
+
+  *) build: allow configuration without APR sources.  [Jacob Champion]
+
+  *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
+     [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
+      Yann Ylavic]
+
+  *) core/log: Support use of optional "tag" in syslog entries.
+     PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
+
+  *) mod_proxy: Fix ProxyAddHeaders merging.  [Joe Orton]
+ 
+  *) core: Disallow multiple Listen on the same IP:port when listener buckets
+     are configured (ListenCoresBucketsRatio > 0), consistently with the single
+     bucket case (default), thus avoiding the leak of the corresponding socket
+     descriptors on graceful restart.  [Yann Ylavic]
+
+  *) event: Avoid listener periodic wake ups by using the pollset wake-ability
+     when available.  PR 57399.  [Yann Ylavic, Luca Toscano]
+
+  *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
+     led to spurious HTTP 502 error messages sent on upgrade connections.
+     PR 61283.  [Yann Ylavic]
+
+
+  [Apache 2.3.0-dev includes those bug fixes and changes with the
+   Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+  *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+  *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
+

Added: dev/httpd/httpd-2.4.28-deps.tar.bz2
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.4.28-deps.tar.bz2
------------------------------------------------------------------------------
    svn:mime-type = application/x-bzip2

Added: dev/httpd/httpd-2.4.28-deps.tar.bz2.asc
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.4.28-deps.tar.bz2.asc
------------------------------------------------------------------------------
    svn:mime-type = application/pgp-signature

Added: dev/httpd/httpd-2.4.28-deps.tar.bz2.md5
==============================================================================
--- dev/httpd/httpd-2.4.28-deps.tar.bz2.md5 (added)
+++ dev/httpd/httpd-2.4.28-deps.tar.bz2.md5 Mon Sep 25 12:12:20 2017
@@ -0,0 +1 @@
+10f342c9752afc1e3bd26cdbf3ed6daf *httpd-2.4.28-deps.tar.bz2

Added: dev/httpd/httpd-2.4.28-deps.tar.bz2.sha1
==============================================================================
--- dev/httpd/httpd-2.4.28-deps.tar.bz2.sha1 (added)
+++ dev/httpd/httpd-2.4.28-deps.tar.bz2.sha1 Mon Sep 25 12:12:20 2017
@@ -0,0 +1 @@
+00a636bd5c1861f36f108ef1ec0898f7b4b925fc *httpd-2.4.28-deps.tar.bz2

Added: dev/httpd/httpd-2.4.28-deps.tar.bz2.sha256
==============================================================================
--- dev/httpd/httpd-2.4.28-deps.tar.bz2.sha256 (added)
+++ dev/httpd/httpd-2.4.28-deps.tar.bz2.sha256 Mon Sep 25 12:12:20 2017
@@ -0,0 +1 @@
+601c84e27ff3224cc741e92bc804e21b2752af579970901a2bbf14b6f1304369 *httpd-2.4.28-deps.tar.bz2

Added: dev/httpd/httpd-2.4.28-deps.tar.gz
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.4.28-deps.tar.gz
------------------------------------------------------------------------------
    svn:mime-type = application/x-gzip

Added: dev/httpd/httpd-2.4.28-deps.tar.gz.asc
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.4.28-deps.tar.gz.asc
------------------------------------------------------------------------------
    svn:mime-type = application/pgp-signature

Added: dev/httpd/httpd-2.4.28-deps.tar.gz.md5
==============================================================================
--- dev/httpd/httpd-2.4.28-deps.tar.gz.md5 (added)
+++ dev/httpd/httpd-2.4.28-deps.tar.gz.md5 Mon Sep 25 12:12:20 2017
@@ -0,0 +1 @@
+7398c86998f69b33de0c94df529e11c6 *httpd-2.4.28-deps.tar.gz

Added: dev/httpd/httpd-2.4.28-deps.tar.gz.sha1
==============================================================================
--- dev/httpd/httpd-2.4.28-deps.tar.gz.sha1 (added)
+++ dev/httpd/httpd-2.4.28-deps.tar.gz.sha1 Mon Sep 25 12:12:20 2017
@@ -0,0 +1 @@
+f625588340dffda99efe658df9b400b652cec39f *httpd-2.4.28-deps.tar.gz

Added: dev/httpd/httpd-2.4.28-deps.tar.gz.sha256
==============================================================================
--- dev/httpd/httpd-2.4.28-deps.tar.gz.sha256 (added)
+++ dev/httpd/httpd-2.4.28-deps.tar.gz.sha256 Mon Sep 25 12:12:20 2017
@@ -0,0 +1 @@
+00f27c44550fe7b518ed735bc6c74f4b6027b86e0b3fa87487f162676ff44ea1 *httpd-2.4.28-deps.tar.gz

Added: dev/httpd/httpd-2.4.28.tar.bz2
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.4.28.tar.bz2
------------------------------------------------------------------------------
    svn:mime-type = application/x-bzip2

Added: dev/httpd/httpd-2.4.28.tar.bz2.asc
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.4.28.tar.bz2.asc
------------------------------------------------------------------------------
    svn:mime-type = application/pgp-signature

Added: dev/httpd/httpd-2.4.28.tar.bz2.md5
==============================================================================
--- dev/httpd/httpd-2.4.28.tar.bz2.md5 (added)
+++ dev/httpd/httpd-2.4.28.tar.bz2.md5 Mon Sep 25 12:12:20 2017
@@ -0,0 +1 @@
+49007ffe8e37a0834255b279810edf24 *httpd-2.4.28.tar.bz2

Added: dev/httpd/httpd-2.4.28.tar.bz2.sha1
==============================================================================
--- dev/httpd/httpd-2.4.28.tar.bz2.sha1 (added)
+++ dev/httpd/httpd-2.4.28.tar.bz2.sha1 Mon Sep 25 12:12:20 2017
@@ -0,0 +1 @@
+0b37522b808dcee72e1d56d656b0def530b820a2 *httpd-2.4.28.tar.bz2

Added: dev/httpd/httpd-2.4.28.tar.bz2.sha256
==============================================================================
--- dev/httpd/httpd-2.4.28.tar.bz2.sha256 (added)
+++ dev/httpd/httpd-2.4.28.tar.bz2.sha256 Mon Sep 25 12:12:20 2017
@@ -0,0 +1 @@
+c1197a3a62a4ab5c584ab89b249af38cf28b4adee9c0106b62999fd29f920666 *httpd-2.4.28.tar.bz2

Added: dev/httpd/httpd-2.4.28.tar.gz
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.4.28.tar.gz
------------------------------------------------------------------------------
    svn:mime-type = application/x-gzip

Added: dev/httpd/httpd-2.4.28.tar.gz.asc
==============================================================================
Binary file - no diff available.

Propchange: dev/httpd/httpd-2.4.28.tar.gz.asc
------------------------------------------------------------------------------
    svn:mime-type = application/pgp-signature

Added: dev/httpd/httpd-2.4.28.tar.gz.md5
==============================================================================
--- dev/httpd/httpd-2.4.28.tar.gz.md5 (added)
+++ dev/httpd/httpd-2.4.28.tar.gz.md5 Mon Sep 25 12:12:20 2017
@@ -0,0 +1 @@
+dcfd6812c8d60f518b27af18f8785d55 *httpd-2.4.28.tar.gz

Added: dev/httpd/httpd-2.4.28.tar.gz.sha1
==============================================================================
--- dev/httpd/httpd-2.4.28.tar.gz.sha1 (added)
+++ dev/httpd/httpd-2.4.28.tar.gz.sha1 Mon Sep 25 12:12:20 2017
@@ -0,0 +1 @@
+f879973e9e223d1fc67325e10aaec1b4de199075 *httpd-2.4.28.tar.gz

Added: dev/httpd/httpd-2.4.28.tar.gz.sha256
==============================================================================
--- dev/httpd/httpd-2.4.28.tar.gz.sha256 (added)
+++ dev/httpd/httpd-2.4.28.tar.gz.sha256 Mon Sep 25 12:12:20 2017
@@ -0,0 +1 @@
+8fefbf4f5aa87534a2b924f9a72f572f68c3c60a3a2cfd039bb67e8ccd79386d *httpd-2.4.28.tar.gz



Mime
View raw message