httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <>
Subject Re: [ANNOUNCEMENT] Apache HTTP Server 2.2.10 Released
Date Thu, 30 Oct 2008 21:16:26 GMT

It might be too late to do anything, but it doesn't seem that this 
announcement email went to announce@httpd or to

did they get suck in moderation?



Jim Jagielski wrote:
>                        Apache HTTP Server 2.2.10 Released
>    The Apache Software Foundation and the Apache HTTP Server Project are
>    pleased to announce the release of version 2.2.10 of the Apache HTTP
>    Server ("Apache").  This version of Apache is principally a bug and
>    security fix release. The following potential security flaws are
>    addressed:
>      * CVE-2008-2939 (
>        mod_proxy_ftp: Prevent XSS attacks when using wildcards in the
>        path of the FTP URL. Discovered by Marc Bevand of Rapid7.
>    We consider this release to be the best version of Apache available, and
>    encourage users of all prior versions to upgrade.
>    Apache HTTP Server 2.2.10 is available for download from:
>    Apache 2.2 offers numerous enhancements, improvements, and performance
>    boosts over the 2.0 codebase.  For an overview of new features
>    introduced since 2.0 please see:
>    Please see the CHANGES_2.2 file, linked from the download page, for a
>    full list of changes.  A condensed list, CHANGES_2.2.10 provides the
>    complete list of changes since 2.2.9. A summary of security
>    vulnerabilities which were addressed in the previous 2.2.9 and earlier
>    releases is available:
>    Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also currently
>    available.  See the appropriate CHANGES from the url above.  See the
>    corresponding CHANGES files linked from the download page.  The Apache
>    HTTP Project developers strongly encourage all users to migrate to
>    Apache 2.2, as only limited maintenance is performed on these legacy
>    versions.
>    This release includes the Apache Portable Runtime (APR) version 1.3.0
>    bundled with the tar and zip distributions.  The APR libraries libapr
>    and libaprutil (and on Win32, libapriconv) must all be updated to ensure
>    binary compatibility and address many known platform bugs.
>    This release builds on and extends the Apache 2.0 API.  Modules written
>    for Apache 2.0 will need to be recompiled in order to run with Apache
>    2.2, and require minimal or no source code changes.
>    When upgrading or installing this version of Apache, please bear in mind
>    that if you intend to use Apache with one of the threaded MPMs (other
>    than the Prefork MPM), you must ensure that any modules you will be
>    using (and the libraries they depend on) are thread-safe.

View raw message