httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jaillet...@apache.org
Subject svn commit: r48071 - in /release/httpd: Announcement2.4.html Announcement2.4.txt CHANGES_2.4 CHANGES_2.4.48 CURRENT-IS-2.4.46 CURRENT-IS-2.4.48
Date Tue, 01 Jun 2021 20:04:26 GMT
Author: jailletc36
Date: Tue Jun  1 20:04:26 2021
New Revision: 48071

Log:
Updates for announcement of 

Added:
    release/httpd/CURRENT-IS-2.4.48
Removed:
    release/httpd/CURRENT-IS-2.4.46
Modified:
    release/httpd/Announcement2.4.html
    release/httpd/Announcement2.4.txt
    release/httpd/CHANGES_2.4
    release/httpd/CHANGES_2.4.48

Modified: release/httpd/Announcement2.4.html
==============================================================================
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Tue Jun  1 20:04:26 2021
@@ -52,7 +52,7 @@
                        Apache HTTP Server 2.4.48 Released
 </h1>
 <p>
-   September 21, 2018
+   June 01, 2021
 </p>
 <p>
    The Apache Software Foundation and the Apache HTTP Server Project are
@@ -62,7 +62,7 @@
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of innovation by the project, and is
    recommended over all previous releases. This release of Apache is
-   a feature and bug fix release.
+   a security, feature and bug fix release.
 </p>
 <p>
    We consider this release to be the best version of Apache available, and

Modified: release/httpd/Announcement2.4.txt
==============================================================================
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Tue Jun  1 20:04:26 2021
@@ -1,6 +1,6 @@
                 Apache HTTP Server 2.4.48 Released
 
-   September 21, 2018
+   June 01, 2021
 
    The Apache Software Foundation and the Apache HTTP Server Project
    are pleased to announce the release of version 2.4.48 of the Apache
@@ -8,7 +8,7 @@
    release of the new generation 2.4.x branch of Apache HTTPD and
    represents fifteen years of innovation by the project, and is
    recommended over all previous releases. This release of Apache is
-   a feature and bug fix release.
+   a security, feature and bug fix release.
 
    We consider this release to be the best version of Apache available, and
    encourage users of all prior versions to upgrade.

Modified: release/httpd/CHANGES_2.4
==============================================================================
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Tue Jun  1 20:04:26 2021
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.48
 
+  *) SECURITY: CVE-2021-31618 (cve.mitre.org)
+     mod_http2: Fix a potential NULL pointer dereference [Ivan Zhakov]
+
   *) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
      fallback to mod_proxy_http for WebSocket upgrade and tunneling.
      [Yann Ylavic]
@@ -126,6 +129,33 @@ Changes with Apache 2.4.48
 
 Changes with Apache 2.4.47
 
+  *) SECURITY: CVE-2021-30641 (cve.mitre.org)
+     Unexpected <Location> section matching with 'MergeSlashes OFF'
+
+  *) SECURITY: CVE-2020-35452 (cve.mitre.org)
+     mod_auth_digest: possible stack overflow by one nul byte while validating
+     the Digest nonce.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-26691 (cve.mitre.org)
+     mod_session: Fix possible crash due to NULL pointer dereference, which
+     could be used to cause a Denial of Service with a malicious backend
+     server and SessionHeader.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-26690 (cve.mitre.org)
+     mod_session: Fix possible crash due to NULL pointer dereference, which
+     could be used to cause a Denial of Service.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-13950 (cve.mitre.org)
+     mod_proxy_http: Fix possible crash due to NULL pointer dereference, which
+     could be used to cause a Denial of Service.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-13938 (cve.mitre.org)
+     Windows: Prevent local users from stopping the httpd process [Ivan Zhakov]
+
+  *) SECURITY: CVE-2019-17567 (cve.mitre.org)
+     mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end
+     negotiation.  [Yann Ylavic]
+
   *) mod_dav_fs: Improve logging output when failing to open files for
      writing.  PR 64413.  [Bingyu Shen <ahshenbingyu gmail.com>]
 
@@ -185,22 +215,13 @@ Changes with Apache 2.4.47
   *) mod_authnz_ldap: Prevent authentications with empty passwords for the
      initial bind to fail with status 500. [Ruediger Pluem]
 
-  *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
-     the format can't match anyway.  [Yann Ylavic]
-
   *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
      Transfer-Encoding from the client, spooling the request body when needed
      to provide a Content-Length to the backend.  PR 57087.  [Yann Ylavic]
 
-  *) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
-     proxy_util.  [Yann Ylavic]
-
   *) mod_proxy: Improve tunneling loop to support half closed connections and
      pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
 
-  *) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
-     and switched protocol forwarding.  [Yann Ylavic]
-
   *) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
      allowing for (non-)Upgrade negotiation with the origin server.
      [Yann Ylavic]

Modified: release/httpd/CHANGES_2.4.48
==============================================================================
--- release/httpd/CHANGES_2.4.48 (original)
+++ release/httpd/CHANGES_2.4.48 Tue Jun  1 20:04:26 2021
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.48
 
+  *) SECURITY: CVE-2021-31618 (cve.mitre.org)
+     mod_http2: Fix a potential NULL pointer dereference [Ivan Zhakov]
+
   *) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
      fallback to mod_proxy_http for WebSocket upgrade and tunneling.
      [Yann Ylavic]
@@ -126,6 +129,33 @@ Changes with Apache 2.4.48
 
 Changes with Apache 2.4.47
 
+  *) SECURITY: CVE-2021-30641 (cve.mitre.org)
+     Unexpected <Location> section matching with 'MergeSlashes OFF'
+
+  *) SECURITY: CVE-2020-35452 (cve.mitre.org)
+     mod_auth_digest: possible stack overflow by one nul byte while validating
+     the Digest nonce.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-26691 (cve.mitre.org)
+     mod_session: Fix possible crash due to NULL pointer dereference, which
+     could be used to cause a Denial of Service with a malicious backend
+     server and SessionHeader.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-26690 (cve.mitre.org)
+     mod_session: Fix possible crash due to NULL pointer dereference, which
+     could be used to cause a Denial of Service.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-13950 (cve.mitre.org)
+     mod_proxy_http: Fix possible crash due to NULL pointer dereference, which
+     could be used to cause a Denial of Service.  [Yann Ylavic]
+
+  *) SECURITY: CVE-2020-13938 (cve.mitre.org)
+     Windows: Prevent local users from stopping the httpd process [Ivan Zhakov]
+
+  *) SECURITY: CVE-2019-17567 (cve.mitre.org)
+     mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end
+     negotiation.  [Yann Ylavic]
+
   *) mod_dav_fs: Improve logging output when failing to open files for
      writing.  PR 64413.  [Bingyu Shen <ahshenbingyu gmail.com>]
 
@@ -185,22 +215,13 @@ Changes with Apache 2.4.47
   *) mod_authnz_ldap: Prevent authentications with empty passwords for the
      initial bind to fail with status 500. [Ruediger Pluem]
 
-  *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
-     the format can't match anyway.  [Yann Ylavic]
-
   *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
      Transfer-Encoding from the client, spooling the request body when needed
      to provide a Content-Length to the backend.  PR 57087.  [Yann Ylavic]
 
-  *) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
-     proxy_util.  [Yann Ylavic]
-
   *) mod_proxy: Improve tunneling loop to support half closed connections and
      pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
 
-  *) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
-     and switched protocol forwarding.  [Yann Ylavic]
-
   *) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
      allowing for (non-)Upgrade negotiation with the origin server.
      [Yann Ylavic]
@@ -262,3 +283,13 @@ Changes with Apache 2.4.47
      connection reuse is disabled by default to avoid compatibility issues.
      [Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]
 
+  [Apache 2.3.0-dev includes those bug fixes and changes with the
+   Apache 2.2.xx tree as documented, and except as noted, below.]
+
+Changes with Apache 2.2.x and later:
+
+  *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
+
+Changes with Apache 2.0.x and later:
+
+  *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup

Added: release/httpd/CURRENT-IS-2.4.48
==============================================================================
    (empty)



Mime
View raw message