httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)
Date Thu, 30 Aug 2007 13:02:03 GMT
Yes, the CHANGES file will be updated to reflect any
and all security issues for that release...

On Aug 30, 2007, at 8:38 AM, Joe Orton wrote:

> On Thu, Aug 30, 2007 at 08:31:21AM -0400, Jim Jagielski wrote:
>> Since a few regressions and other issues popped up the
>> last go around, I cancelled release of 1.3.38, 2.0.60 and
>> 2.2.5... I think we are close, *very* close to being at
>> the point to try this all again.
>
> Can we move the SECURITY stuff back up to the top and remove the 2.2.5
> heading - it would just be confusing to users since 2.2.5 doen't  
> really
> exist? i.e. below, which adds the CVE name for the autoindex issue  
> too.
>
> Index: CHANGES
> ===================================================================
> --- CHANGES	(revision 571136)
> +++ CHANGES	(working copy)
> @@ -1,11 +1,37 @@
>                                                          -*-  
> coding: utf-8 -*-
>  Changes with Apache 2.2.6
>
> -  *) mod_autoindex: Add in Type and Charset options to IndexOptions
> +  *) SECURITY: CVE-2007-4465 (cve.mitre.org)
> +     mod_autoindex: Add in Type and Charset options to IndexOptions
>       directive. This allows the admin to explicitly set the
>       content-type and charset of the generated page.
>       [Jim Jagielski]
>
> +  *) SECURITY: CVE-2007-3847 (cve.mitre.org)
> +     mod_proxy: Prevent reading past the end of a buffer when parsing
> +     date-related headers.  PR 41144.
> +     [Davi Arnaut, Nick Kew]
> +
> +  *) SECURITY: CVE-2007-1863 (cve.mitre.org)
> +     mod_cache: Prevent a segmentation fault if attributes are  
> listed in a
> +     Cache-Control header without any value.
> +     [Niklas Edmundsson <nikke acc.umu.se>]
> +
> +  *) SECURITY: CVE-2007-3304 (cve.mitre.org)
> +     prefork, worker, event MPMs: Ensure that the parent process  
> cannot
> +     be forced to kill processes outside its process group.
> +     [Joe Orton, Jim Jagielski]
> +
> +  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
> +     mod_status: Fix a possible XSS attack against a site with a  
> public
> +     server-status page and ExtendedStatus enabled, for browsers  
> which
> +     perform charset "detection".  Reported by Stefan Esser.  [Joe  
> Orton]
> +
> +  *) SECURITY: CVE-2007-1862 (cve.mitre.org)
> +     mod_mem_cache: Copy headers into longer lived storage; header  
> names and
> +     values could previously point to cleaned up storage.  PR 41551.
> +     [Davi Arnaut <davi haxent.com.br>]
> +
>    *) log core: ensure we use a special pool for stderr logging, so  
> that
>       the stderr channel remains valid from the time plog is  
> destroyed,
>       until the time the open_logs hook is called again.  [William  
> Rowe]
> @@ -70,33 +96,6 @@
>       improper merging of the cache lock in vhost config
>       PR 43164 [Eric Covener]
>
> -Changes with Apache 2.2.5
> -
> -  *) SECURITY: CVE-2007-3847 (cve.mitre.org)
> -     mod_proxy: Prevent reading past the end of a buffer when parsing
> -     date-related headers.  PR 41144.
> -     [Davi Arnaut, Nick Kew]
> -
> -  *) SECURITY: CVE-2007-1863 (cve.mitre.org)
> -     mod_cache: Prevent a segmentation fault if attributes are  
> listed in a
> -     Cache-Control header without any value.
> -     [Niklas Edmundsson <nikke acc.umu.se>]
> -
> -  *) SECURITY: CVE-2007-3304 (cve.mitre.org)
> -     prefork, worker, event MPMs: Ensure that the parent process  
> cannot
> -     be forced to kill processes outside its process group.
> -     [Joe Orton, Jim Jagielski]
> -
> -  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
> -     mod_status: Fix a possible XSS attack against a site with a  
> public
> -     server-status page and ExtendedStatus enabled, for browsers  
> which
> -     perform charset "detection".  Reported by Stefan Esser.  [Joe  
> Orton]
> -
> -  *) SECURITY: CVE-2007-1862 (cve.mitre.org)
> -     mod_mem_cache: Copy headers into longer lived storage; header  
> names and
> -     values could previously point to cleaned up storage.  PR 41551.
> -     [Davi Arnaut <davi haxent.com.br>]
> -
>    *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk]
>
>    *) mod_deflate: fix protocol handling in deflate input filter
>


Mime
View raw message