Jim,
It might be too late to do anything, but it doesn't seem that this
announcement email went to announce@httpd or to announce@apache.org?
did they get suck in moderation?
Thanks,
Paul
Jim Jagielski wrote:
> Apache HTTP Server 2.2.10 Released
>
> The Apache Software Foundation and the Apache HTTP Server Project are
> pleased to announce the release of version 2.2.10 of the Apache HTTP
> Server ("Apache"). This version of Apache is principally a bug and
> security fix release. The following potential security flaws are
> addressed:
>
> * CVE-2008-2939 (cve.mitre.org)
> mod_proxy_ftp: Prevent XSS attacks when using wildcards in the
> path of the FTP URL. Discovered by Marc Bevand of Rapid7.
>
> We consider this release to be the best version of Apache available, and
> encourage users of all prior versions to upgrade.
>
> Apache HTTP Server 2.2.10 is available for download from:
>
> http://httpd.apache.org/download.cgi
>
> Apache 2.2 offers numerous enhancements, improvements, and performance
> boosts over the 2.0 codebase. For an overview of new features
> introduced since 2.0 please see:
>
> http://httpd.apache.org/docs/2.2/new_features_2_2.html
>
> Please see the CHANGES_2.2 file, linked from the download page, for a
> full list of changes. A condensed list, CHANGES_2.2.10 provides the
> complete list of changes since 2.2.9. A summary of security
> vulnerabilities which were addressed in the previous 2.2.9 and earlier
> releases is available:
>
> http://httpd.apache.org/security/vulnerabilities_22.html
>
> Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also currently
> available. See the appropriate CHANGES from the url above. See the
> corresponding CHANGES files linked from the download page. The Apache
> HTTP Project developers strongly encourage all users to migrate to
> Apache 2.2, as only limited maintenance is performed on these legacy
> versions.
>
> This release includes the Apache Portable Runtime (APR) version 1.3.0
> bundled with the tar and zip distributions. The APR libraries libapr
> and libaprutil (and on Win32, libapriconv) must all be updated to ensure
> binary compatibility and address many known platform bugs.
>
> This release builds on and extends the Apache 2.0 API. Modules written
> for Apache 2.0 will need to be recompiled in order to run with Apache
> 2.2, and require minimal or no source code changes.
>
> http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
>
> When upgrading or installing this version of Apache, please bear in mind
> that if you intend to use Apache with one of the threaded MPMs (other
> than the Prefork MPM), you must ensure that any modules you will be
> using (and the libraries they depend on) are thread-safe.
>
|