httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cameron Young" <camer...@tpg.com.au>
Subject RE: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)
Date Thu, 30 Aug 2007 14:19:33 GMT
Thanks Jim.
Allows me to do the correct maths.
I'm in Australia (East Coast).
Cheers,
Cameron 

-----Original Message-----
From: Jim Jagielski [mailto:jim@jaguNET.com] 
Sent: Friday, 31 August 2007 00:13
To: dev@httpd.apache.org
Subject: Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)

Well... I'm east coast :)

On Aug 30, 2007, at 9:48 AM, Cameron J. Young ((Personal)) wrote:

> Jim,
> Is that EST or PST ??
> Cheers,
> Cameron
>
> -----Original Message-----
> From: Jim Jagielski [mailto:jim@jaguNET.com]
> Sent: Thursday, 30 August 2007 23:02
> To: dev@httpd.apache.org
> Subject: Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)
>
> Yes, the CHANGES file will be updated to reflect any
> and all security issues for that release...
>
> On Aug 30, 2007, at 8:38 AM, Joe Orton wrote:
>
>> On Thu, Aug 30, 2007 at 08:31:21AM -0400, Jim Jagielski wrote:
>>> Since a few regressions and other issues popped up the
>>> last go around, I cancelled release of 1.3.38, 2.0.60 and
>>> 2.2.5... I think we are close, *very* close to being at
>>> the point to try this all again.
>>
>> Can we move the SECURITY stuff back up to the top and remove the  
>> 2.2.5
>> heading - it would just be confusing to users since 2.2.5 doen't
>> really
>> exist? i.e. below, which adds the CVE name for the autoindex issue
>> too.
>>
>> Index: CHANGES
>> ===================================================================
>> --- CHANGES	(revision 571136)
>> +++ CHANGES	(working copy)
>> @@ -1,11 +1,37 @@
>>                                                          -*-
>> coding: utf-8 -*-
>>  Changes with Apache 2.2.6
>>
>> -  *) mod_autoindex: Add in Type and Charset options to IndexOptions
>> +  *) SECURITY: CVE-2007-4465 (cve.mitre.org)
>> +     mod_autoindex: Add in Type and Charset options to IndexOptions
>>       directive. This allows the admin to explicitly set the
>>       content-type and charset of the generated page.
>>       [Jim Jagielski]
>>
>> +  *) SECURITY: CVE-2007-3847 (cve.mitre.org)
>> +     mod_proxy: Prevent reading past the end of a buffer when  
>> parsing
>> +     date-related headers.  PR 41144.
>> +     [Davi Arnaut, Nick Kew]
>> +
>> +  *) SECURITY: CVE-2007-1863 (cve.mitre.org)
>> +     mod_cache: Prevent a segmentation fault if attributes are
>> listed in a
>> +     Cache-Control header without any value.
>> +     [Niklas Edmundsson <nikke acc.umu.se>]
>> +
>> +  *) SECURITY: CVE-2007-3304 (cve.mitre.org)
>> +     prefork, worker, event MPMs: Ensure that the parent process
>> cannot
>> +     be forced to kill processes outside its process group.
>> +     [Joe Orton, Jim Jagielski]
>> +
>> +  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
>> +     mod_status: Fix a possible XSS attack against a site with a
>> public
>> +     server-status page and ExtendedStatus enabled, for browsers
>> which
>> +     perform charset "detection".  Reported by Stefan Esser.  [Joe
>> Orton]
>> +
>> +  *) SECURITY: CVE-2007-1862 (cve.mitre.org)
>> +     mod_mem_cache: Copy headers into longer lived storage; header
>> names and
>> +     values could previously point to cleaned up storage.  PR 41551.
>> +     [Davi Arnaut <davi haxent.com.br>]
>> +
>>    *) log core: ensure we use a special pool for stderr logging, so
>> that
>>       the stderr channel remains valid from the time plog is
>> destroyed,
>>       until the time the open_logs hook is called again.  [William
>> Rowe]
>> @@ -70,33 +96,6 @@
>>       improper merging of the cache lock in vhost config
>>       PR 43164 [Eric Covener]
>>
>> -Changes with Apache 2.2.5
>> -
>> -  *) SECURITY: CVE-2007-3847 (cve.mitre.org)
>> -     mod_proxy: Prevent reading past the end of a buffer when  
>> parsing
>> -     date-related headers.  PR 41144.
>> -     [Davi Arnaut, Nick Kew]
>> -
>> -  *) SECURITY: CVE-2007-1863 (cve.mitre.org)
>> -     mod_cache: Prevent a segmentation fault if attributes are
>> listed in a
>> -     Cache-Control header without any value.
>> -     [Niklas Edmundsson <nikke acc.umu.se>]
>> -
>> -  *) SECURITY: CVE-2007-3304 (cve.mitre.org)
>> -     prefork, worker, event MPMs: Ensure that the parent process
>> cannot
>> -     be forced to kill processes outside its process group.
>> -     [Joe Orton, Jim Jagielski]
>> -
>> -  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
>> -     mod_status: Fix a possible XSS attack against a site with a
>> public
>> -     server-status page and ExtendedStatus enabled, for browsers
>> which
>> -     perform charset "detection".  Reported by Stefan Esser.  [Joe
>> Orton]
>> -
>> -  *) SECURITY: CVE-2007-1862 (cve.mitre.org)
>> -     mod_mem_cache: Copy headers into longer lived storage; header
>> names and
>> -     values could previously point to cleaned up storage.  PR 41551.
>> -     [Davi Arnaut <davi haxent.com.br>]
>> -
>>    *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk]
>>
>>    *) mod_deflate: fix protocol handling in deflate input filter
>>
>
>



Mime
View raw message