Well... I'm east coast :)
On Aug 30, 2007, at 9:48 AM, Cameron J. Young ((Personal)) wrote:
> Jim,
> Is that EST or PST ??
> Cheers,
> Cameron
>
> -----Original Message-----
> From: Jim Jagielski [mailto:jim@jaguNET.com]
> Sent: Thursday, 30 August 2007 23:02
> To: dev@httpd.apache.org
> Subject: Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)
>
> Yes, the CHANGES file will be updated to reflect any
> and all security issues for that release...
>
> On Aug 30, 2007, at 8:38 AM, Joe Orton wrote:
>
>> On Thu, Aug 30, 2007 at 08:31:21AM -0400, Jim Jagielski wrote:
>>> Since a few regressions and other issues popped up the
>>> last go around, I cancelled release of 1.3.38, 2.0.60 and
>>> 2.2.5... I think we are close, *very* close to being at
>>> the point to try this all again.
>>
>> Can we move the SECURITY stuff back up to the top and remove the
>> 2.2.5
>> heading - it would just be confusing to users since 2.2.5 doen't
>> really
>> exist? i.e. below, which adds the CVE name for the autoindex issue
>> too.
>>
>> Index: CHANGES
>> ===================================================================
>> --- CHANGES (revision 571136)
>> +++ CHANGES (working copy)
>> @@ -1,11 +1,37 @@
>> -*-
>> coding: utf-8 -*-
>> Changes with Apache 2.2.6
>>
>> - *) mod_autoindex: Add in Type and Charset options to IndexOptions
>> + *) SECURITY: CVE-2007-4465 (cve.mitre.org)
>> + mod_autoindex: Add in Type and Charset options to IndexOptions
>> directive. This allows the admin to explicitly set the
>> content-type and charset of the generated page.
>> [Jim Jagielski]
>>
>> + *) SECURITY: CVE-2007-3847 (cve.mitre.org)
>> + mod_proxy: Prevent reading past the end of a buffer when
>> parsing
>> + date-related headers. PR 41144.
>> + [Davi Arnaut, Nick Kew]
>> +
>> + *) SECURITY: CVE-2007-1863 (cve.mitre.org)
>> + mod_cache: Prevent a segmentation fault if attributes are
>> listed in a
>> + Cache-Control header without any value.
>> + [Niklas Edmundsson <nikke acc.umu.se>]
>> +
>> + *) SECURITY: CVE-2007-3304 (cve.mitre.org)
>> + prefork, worker, event MPMs: Ensure that the parent process
>> cannot
>> + be forced to kill processes outside its process group.
>> + [Joe Orton, Jim Jagielski]
>> +
>> + *) SECURITY: CVE-2006-5752 (cve.mitre.org)
>> + mod_status: Fix a possible XSS attack against a site with a
>> public
>> + server-status page and ExtendedStatus enabled, for browsers
>> which
>> + perform charset "detection". Reported by Stefan Esser. [Joe
>> Orton]
>> +
>> + *) SECURITY: CVE-2007-1862 (cve.mitre.org)
>> + mod_mem_cache: Copy headers into longer lived storage; header
>> names and
>> + values could previously point to cleaned up storage. PR 41551.
>> + [Davi Arnaut <davi haxent.com.br>]
>> +
>> *) log core: ensure we use a special pool for stderr logging, so
>> that
>> the stderr channel remains valid from the time plog is
>> destroyed,
>> until the time the open_logs hook is called again. [William
>> Rowe]
>> @@ -70,33 +96,6 @@
>> improper merging of the cache lock in vhost config
>> PR 43164 [Eric Covener]
>>
>> -Changes with Apache 2.2.5
>> -
>> - *) SECURITY: CVE-2007-3847 (cve.mitre.org)
>> - mod_proxy: Prevent reading past the end of a buffer when
>> parsing
>> - date-related headers. PR 41144.
>> - [Davi Arnaut, Nick Kew]
>> -
>> - *) SECURITY: CVE-2007-1863 (cve.mitre.org)
>> - mod_cache: Prevent a segmentation fault if attributes are
>> listed in a
>> - Cache-Control header without any value.
>> - [Niklas Edmundsson <nikke acc.umu.se>]
>> -
>> - *) SECURITY: CVE-2007-3304 (cve.mitre.org)
>> - prefork, worker, event MPMs: Ensure that the parent process
>> cannot
>> - be forced to kill processes outside its process group.
>> - [Joe Orton, Jim Jagielski]
>> -
>> - *) SECURITY: CVE-2006-5752 (cve.mitre.org)
>> - mod_status: Fix a possible XSS attack against a site with a
>> public
>> - server-status page and ExtendedStatus enabled, for browsers
>> which
>> - perform charset "detection". Reported by Stefan Esser. [Joe
>> Orton]
>> -
>> - *) SECURITY: CVE-2007-1862 (cve.mitre.org)
>> - mod_mem_cache: Copy headers into longer lived storage; header
>> names and
>> - values could previously point to cleaned up storage. PR 41551.
>> - [Davi Arnaut <davi haxent.com.br>]
>> -
>> *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk]
>>
>> *) mod_deflate: fix protocol handling in deflate input filter
>>
>
>
|