httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)
Date Thu, 30 Aug 2007 12:38:48 GMT
On Thu, Aug 30, 2007 at 08:31:21AM -0400, Jim Jagielski wrote:
> Since a few regressions and other issues popped up the
> last go around, I cancelled release of 1.3.38, 2.0.60 and
> 2.2.5... I think we are close, *very* close to being at
> the point to try this all again.

Can we move the SECURITY stuff back up to the top and remove the 2.2.5 
heading - it would just be confusing to users since 2.2.5 doen't really 
exist? i.e. below, which adds the CVE name for the autoindex issue too.

Index: CHANGES
===================================================================
--- CHANGES	(revision 571136)
+++ CHANGES	(working copy)
@@ -1,11 +1,37 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.6
 
-  *) mod_autoindex: Add in Type and Charset options to IndexOptions
+  *) SECURITY: CVE-2007-4465 (cve.mitre.org)
+     mod_autoindex: Add in Type and Charset options to IndexOptions
      directive. This allows the admin to explicitly set the 
      content-type and charset of the generated page.
      [Jim Jagielski]
 
+  *) SECURITY: CVE-2007-3847 (cve.mitre.org)
+     mod_proxy: Prevent reading past the end of a buffer when parsing
+     date-related headers.  PR 41144.
+     [Davi Arnaut, Nick Kew]
+
+  *) SECURITY: CVE-2007-1863 (cve.mitre.org)
+     mod_cache: Prevent a segmentation fault if attributes are listed in a 
+     Cache-Control header without any value. 
+     [Niklas Edmundsson <nikke acc.umu.se>]
+
+  *) SECURITY: CVE-2007-3304 (cve.mitre.org)
+     prefork, worker, event MPMs: Ensure that the parent process cannot
+     be forced to kill processes outside its process group. 
+     [Joe Orton, Jim Jagielski]
+
+  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
+     mod_status: Fix a possible XSS attack against a site with a public
+     server-status page and ExtendedStatus enabled, for browsers which
+     perform charset "detection".  Reported by Stefan Esser.  [Joe Orton]
+
+  *) SECURITY: CVE-2007-1862 (cve.mitre.org)
+     mod_mem_cache: Copy headers into longer lived storage; header names and
+     values could previously point to cleaned up storage.  PR 41551.
+     [Davi Arnaut <davi haxent.com.br>]
+
   *) log core: ensure we use a special pool for stderr logging, so that
      the stderr channel remains valid from the time plog is destroyed,
      until the time the open_logs hook is called again.  [William Rowe]
@@ -70,33 +96,6 @@
      improper merging of the cache lock in vhost config
      PR 43164 [Eric Covener]
 
-Changes with Apache 2.2.5
-
-  *) SECURITY: CVE-2007-3847 (cve.mitre.org)
-     mod_proxy: Prevent reading past the end of a buffer when parsing
-     date-related headers.  PR 41144.
-     [Davi Arnaut, Nick Kew]
-
-  *) SECURITY: CVE-2007-1863 (cve.mitre.org)
-     mod_cache: Prevent a segmentation fault if attributes are listed in a 
-     Cache-Control header without any value. 
-     [Niklas Edmundsson <nikke acc.umu.se>]
-
-  *) SECURITY: CVE-2007-3304 (cve.mitre.org)
-     prefork, worker, event MPMs: Ensure that the parent process cannot
-     be forced to kill processes outside its process group. 
-     [Joe Orton, Jim Jagielski]
-
-  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
-     mod_status: Fix a possible XSS attack against a site with a public
-     server-status page and ExtendedStatus enabled, for browsers which
-     perform charset "detection".  Reported by Stefan Esser.  [Joe Orton]
-
-  *) SECURITY: CVE-2007-1862 (cve.mitre.org)
-     mod_mem_cache: Copy headers into longer lived storage; header names and
-     values could previously point to cleaned up storage.  PR 41551.
-     [Davi Arnaut <davi haxent.com.br>]
-
   *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk]
 
   *) mod_deflate: fix protocol handling in deflate input filter


Mime
View raw message