http://permalink.gmane.org/gmane.comp.apache.announce hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.comp.apache.announce/67 <pre> The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.24 of the Apache HTTP Server ("Apache"). This version of Apache is principally a security and bug fix maintenance release, including the following significant security fixes: * SECURITY: CVE-2012-3499 (cve.mitre.org) Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. * SECURITY: CVE-2012-4558 (cve.mitre.org) XSS in mod_proxy_balancer manager interface. We consider the Apache HTTP Server 2.4.4 release to be the best version of Apache available, and encourage users of 2.2 and all prior versions to upgrade. This 2.2 maintenance release is offered for those unable to do so at this time. For further details, see http://www.apache.org/dist/httpd/Announcement2.4.txt Apache HTTP Server 2.4.4 and 2.2.24 are available for download from: http://httpd.apa</pre> William A. Rowe Jr. 2013-02-26T23:10:27 http://permalink.gmane.org/gmane.comp.apache.announce/66 <pre> Apache HTTP Server 2.4.4 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.4 of the Apache HTTP Server ("Apache"). This version of Apache is our latest GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This version of Apache is principally a security and bug fix release, including the following 2 security fixes: *) SECURITY: CVE-2012-3499 (cve.mitre.org) Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. *) SECURITY: CVE-2012-4558 (cve.mitre.org) XSS in mod_proxy_balancer manager interface. Apache HTTP Server 2.4.4 is available for download from: http://httpd.apache.org/download.cgi Apache 2.4 offers numerous enhancements, improvements, and performance boosts over </pre> Jim Jagielski 2013-02-25T22:53:12 http://permalink.gmane.org/gmane.comp.apache.announce/65 <pre> Apache HTTP Server 2.4.3 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.3 of the Apache HTTP Server ("Apache"). This version of Apache is our 3rd GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This version of Apache is principally a security and bug fix release, including the following 2 security fixes: *) SECURITY: CVE-2012-3502 (cve.mitre.org) mod_proxy_ajp, mod_proxy_http: Fix an issue in back end connection closing which could lead to privacy issues due to a response mixup. PR 53727. *) SECURITY: CVE-2012-2687 (cve.mitre.org) mod_negotiation: Escape filenames in variant list to prevent an possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled. Apache HTTP Server 2.4.3 is available fo</pre> Jim Jagielski 2012-08-21T11:57:02 http://permalink.gmane.org/gmane.comp.apache.announce/64 <pre> Apache HTTP Server 2.4.2 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.2 of the Apache HTTP Server ("Apache"). This version of Apache is our 2nd GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This version of Apache is principally a security and bug fix release, including the following security fix: *) SECURITY: CVE-2012-0883 (cve.mitre.org) envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the current working directory to be searched for DSOs. Apache HTTP Server 2.4.2 is available for download from: http://httpd.apache.org/download.cgi Apache 2.4 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.4 please see: http://httpd.apache.org/docs/trunk/new_features_2_4.html Please see the </pre> Jim Jagielski 2012-04-17T12:32:53 http://permalink.gmane.org/gmane.comp.apache.announce/63 <pre> Apache HTTP Server 2.4.1 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the GA release of version 2.4.1 of the Apache HTTP Server. This version of Apache HTTP Server is the first GA release of the new 2.4.x branch. Apache HTTP Server 2.4 provides a number of improvements and enhancements over the 2.2 version. A listing and description of these features is available via: http://httpd.apache.org/docs/2.4/new_features_2_4.html Please see the CHANGES_2.4 file, linked from the download page, for a full list of changes. We consider this release to be the best version of Apache HTTP Server available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.4.1 is available for download from: http://httpd.apache.org/download.cgi This release requires the Apache Portable Runtime (APR) version 1.4.x and APR-Util version 1.4.x. The APR libraries must be upgraded for all features of httpd to operate correctly. This release bu</pre> Jim Jagielski 2012-02-21T13:56:57 http://permalink.gmane.org/gmane.comp.apache.announce/62 <pre> Apache HTTP Server 2.2.22 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.22 of the Apache HTTP Server ("Apache"). This version of Apache is principally a security and bug fix release, including the following significant security fixes: * SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations. * SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. * SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configura</pre> William A. Rowe Jr. 2012-01-31T22:34:24 http://permalink.gmane.org/gmane.comp.apache.announce/61 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apache HTTP Server Security Advisory ==================================== Title: mod_proxy reverse proxy exposure CVE: CVE-2011-3368 Date: 20111005 Product: Apache HTTP Server Versions: httpd 1.3 all versions, httpd 2.x all versions Description: ============ An exposure was reported affecting the use of Apache HTTP Server in reverse proxy mode. We would like to thank Context Information Security Ltd for reporting this issue to us. When using the RewriteRule or ProxyPassMatch directives to configure a reverse proxy using a pattern match, it is possible to inadvertently expose internal servers to remote users who send carefully crafted requests. The server did not validate that the input to the pattern match was a valid path string, so a pattern could expand to an unintended target URL. For future releases of the Apache HTTP Server, the software will validate the request URI, correcting this specific vulnerability. The document</pre> Joe Orton 2011-10-05T14:15:41 http://permalink.gmane.org/gmane.comp.apache.announce/60 <pre> The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.21 of the Apache HTTP Server ("Apache"). This version of Apache is principally a security and bug fix release: * SECURITY: CVE-2011-3348 (cve.mitre.org) mod_proxy_ajp when combined with mod_proxy_balancer: Prevents unrecognized HTTP methods from marking ajp: balancer members in an error state, avoiding denial of service. * SECURITY: CVE-2011-3192 (cve.mitre.org) core: Further fixes to the handling of byte-range requests to use less memory, to avoid denial of service. This patch includes fixes to the patch introduced in release 2.2.20 for protocol compliance, as well as the MaxRanges directive. Note the further advisories on the state of CVE-2011-3192 will no longer be broadcast, but will be kept up to date at; http://httpd.apache.org/security/CVE-2011-3192.txt We consider this release to be the best vers</pre> William A. Rowe Jr. 2011-09-14T06:32:48 http://permalink.gmane.org/gmane.comp.apache.announce/59 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apache HTTPD Security ADVISORY ============================== UPDATE 2 Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x CVE: CVE-2011-3192 Last Change: 20110826 1030Z Date: 20110824 1600Z Product: Apache HTTPD Web Server Versions: Apache 1.3 all versions, Apache 2 all versions Changes since last update ========================= In addition to the 'Range' header - the 'Range-Request' header is equally affected. Furthermore various vendor updates, improved regexes (speed and accommodating a different and new attack pattern). Description: ============ A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server: http://seclists.org/fulldisclosure/2011/Aug/175 An attack tool is circulating in the wild. Active use of this tool has been observed. The attack can be done remotely and with a modest number of r</pre> Dirk-Willem van Gulik 2011-08-26T10:35:31 http://permalink.gmane.org/gmane.comp.apache.announce/58 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apache HTTPD Security ADVISORY ============================== Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x CVE: CVE-2011-3192: Date: 20110824 1600Z Product: Apache HTTPD Web Server Versions: Apache 1.3 all versions, Apache 2 all versions Description: ============ A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server: http://seclists.org/fulldisclosure/2011/Aug/175 An attack tool is circulating in the wild. Active use of this tools has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. The default Apache HTTPD installation is vulnerable. There is currently no patch/new version of Apache HTTPD which fixes this vulnerability. This advisory will be updated when a long term fix is available. A full fix is expected in the next 4</pre> Dirk-Willem van Gulik 2011-08-24T16:16:39 http://permalink.gmane.org/gmane.comp.apache.announce/57 <pre> Apache HTTP Server 2.2.19 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.19 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bug fix release, correcting regressions in the httpd 2.2.18 package; the use of that previous 2.2.18 package is discouraged due to these flaws: * SECURITY: CVE-2011-1928 (cve.mitre.org) A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419 introduced a new vulnerability. httpd workers enter a hung state (100% cpu utilization) after updating to APR 1.4.4. Upgrading to APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3 or prior with the 'IgnoreClient' option of the 'IndexOptions' directive will circumvent both issues. * httpd 2.2.18: The ap_unescape_url_keep2f() function signature was inadvertantly changed. This breaks binary compatibility of a number </pre> William A. Rowe Jr. 2011-05-22T15:33:32 http://permalink.gmane.org/gmane.comp.apache.announce/56 <pre> New releases are in progress for each of these projects and are expected to be available in the coming days. The upcoming httpd 2.2.19 will bundle new releases of apr and apr-util which correct the regressions described below. An announcement of these releases will be broadcast. Note: httpd 2.2.18 bundles apr 1.4.4 and apr-util 1.3.11. Summary of regressions: httpd 2.2.18: The ap_unescape_url_keep2f() function signature was changed. This breaks binary compatibility of a number of third-party modules. In addition, a regression in apr 1.4.4 (see below) could cause httpd to hang. apr 1.4.4: A fix in apr 1.4.4 apr_fnmatch() to address CVE-2011-0419 introduced a new vulnerability. A patch is attached and should be used if httpd workers enter a hung state (100% cpu utilization) after updating to httpd 2.2.18 or apr-util 1.4.4, or if hangs are seen in other apr applications which use apr_fnmatch(). apr-util 1.3.11: A fix to LDAP support in apr-util 1.3.11 could cause crashes with httpd's mod_authnz_ldap in</pre> William A. Rowe Jr. 2011-05-19T17:17:06 http://permalink.gmane.org/gmane.comp.apache.announce/55 <pre> Apache HTTP Server 2.2.18 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.18 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bug fix release, and a security fix release of the APR 1.4.4 dependency; * SECURITY: CVE-2011-0419 (cve.mitre.org) apr_fnmatch flaw leads to mod_autoindex remote DoS Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a carefully crafted request may cause excessive CPU usage Upgrading to APR 1.4.4, or setting the 'IgnoreClient' option of the 'IndexOptions' directive circumvents this risk. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.18 is available for download from: http://httpd.apache.org/download.cgi Please </pre> William A. Rowe Jr. 2011-05-12T04:10:40 http://permalink.gmane.org/gmane.comp.apache.announce/54 <pre> Apache HTTP Server 2.3.11-beta Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.3.11-beta of the Apache HTTP Server ("Apache"). This version of Apache is our initial Beta release of Apache httpd 2.4 to test new technology and features that are incompatible or too large for the stable 2.2.x branch. This Beta release should not be presumed to be compatible with binaries built against any prior or future version, although, as a Beta, the API is in a semi-frozen state. Apache HTTP Server 2.3.11-beta is available for download from: http://httpd.apache.org/download.cgi Apache 2.3 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.3 please see: http://httpd.apache.org/docs/trunk/new_features_2_4.html Please see the CHANGES_2.3 file, linked from the download page, for a full list of</pre> Jim Jagielski 2011-03-07T14:00:15 http://permalink.gmane.org/gmane.comp.apache.announce/53 <pre>The expected-to-be-final alpha release of Apache HTTP Server (aka, Apache httpd) 2.3.10-alpha is now available for download, test and use. Based on user and developer feedback, the next release of the next-gen version of Apache httpd will likely be our first beta. The hope and expectation is to push for a quick beta cycle and a 2.4.0 GA release around the beginning of 2011. Apache httpd 2.3.10-alpha can be found at: http://httpd.apache.org/ </pre> Jim Jagielski 2010-12-22T13:22:16 http://permalink.gmane.org/gmane.comp.apache.announce/52 <pre> libapreq2-2.13 Released The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the 2.13 release of libapreq2. This Announcement notes significant changes introduced by this release. libapreq2-2.13 is released under the Apache License version 2.0. It is now available through the ASF mirrors http://httpd.apache.org/apreq/download.cgi and has entered the CPAN as file: $CPAN/authors/id/I/IS/ISAAC/libapreq2-2.13.tar.gz size: 891320 bytes md5: c11fb0861aa84dcc6cd0f0798b045eee libapreq2 is an APR-based shared library used for parsing HTTP cookies, query-strings and POST data. This package provides 1) version 2.8.0 of the libapreq2 library, 2) mod_apreq2, a filter module necessary for using libapreq2 within the Apache HTTP Server, 3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload perl modules for using libapreq2 with mod_perl2. ======================================================================== Changes</pre> issac< at >apache.org 2010-12-03T11:52:12 http://permalink.gmane.org/gmane.comp.apache.announce/51 <pre> The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.3.6 of mod_fcgid, a FastCGI implementation for Apache HTTP Server versions 2.0, 2.2, and future 2.4. This version of mod_fcgid is a bug fix release. A fix is included for CVE-2010-3872, a potential vulnerability which can affect sites with untrusted FastCGI applications. Additionally, default configuration settings for request body handling have been changed to prevent large system resource use. Administrators of all versions of mod_fcgid are strongly cautioned to ensure that FcgidMaxRequestLen is configured appropriately. mod_fcgid is available for download from: http://httpd.apache.org/download.cgi A full list of changes in this release follows: *) SECURITY: CVE-2010-3872 (cve.mitre.org) Fix possible stack buffer overwrite. Diagnosed by the reporter. PR 49406. [Edgar Frank &lt;ef-lists email.de&gt;] *) Change the default for FcgidMaxRequestLen fro</pre> Jeff Trawick 2010-11-07T21:43:40 http://permalink.gmane.org/gmane.comp.apache.announce/50 <pre> The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.17 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bug fix release, and a security fix release of the APR-util 1.3.10 dependency; * SECURITY: CVE-2010-1623 (cve.mitre.org) Fix a denial of service attack against apr_brigade_split_line(). * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause httpd to crash while parsing specially-crafted XML documents. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.17 is available for download from: http://httpd.apache.org/download.cgi Apache HTTP Server 2.0.64 legacy release is also currently available, with the same vulnerability correction as well as many others fixed in 2.</pre> William A. Rowe Jr. 2010-10-19T16:27:33 http://permalink.gmane.org/gmane.comp.apache.announce/50 <pre> The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.17 of the Apache HTTP Server ("Apache"). This version of Apache is principally a bug fix release, and a security fix release of the APR-util 1.3.10 dependency; * SECURITY: CVE-2010-1623 (cve.mitre.org) Fix a denial of service attack against apr_brigade_split_line(). * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause httpd to crash while parsing specially-crafted XML documents. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.2.17 is available for download from: http://httpd.apache.org/download.cgi Apache HTTP Server 2.0.64 legacy release is also currently available, with the same vulnerability correction as well as many others fixed in 2.</pre> William A. Rowe Jr. 2010-10-19T16:27:33 http://permalink.gmane.org/gmane.comp.apache.announce/49 <pre> Apache HTTP Server 2.3.8-alpha Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.3.8-alpha of the Apache HTTP Server ("Apache"). This version of Apache is principally an alpha release to test new technology and features that are incompatible or too large for the stable 2.2.x branch. This alpha release should not be presumed to be compatible with binaries built against any prior or future version. This release is expected to be the last alpha release; subsequent releases will be beta releases as we move towards 2.4.0-GA. Apache HTTP Server 2.3.8-alpha is available for download from: http://httpd.apache.org/download.cgi Apache 2.3 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.3 please see: http://httpd.apache.org/docs/trunk/new_features_2_4.html Please see the CHANGES_2.3 file, linked from the download</pre> Jim Jagielski 2010-08-31T14:16:12 http://permalink.gmane.org/gmane.comp.apache.announce/48 <pre> Apache HTTP Server 2.3.6-alpha Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.3.6-alpha of the Apache HTTP Server ("Apache"). This version of Apache is principally an alpha release to test new technology and features that are incompatible or too large for the stable 2.2.x branch. This alpha release should not be presumed to be compatible with binaries built against any prior or future version. Apache HTTP Server 2.3.6-alpha is available for download from: http://httpd.apache.org/download.cgi Apache 2.3 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.3 please see: http://httpd.apache.org/docs/trunk/new_features_2_4.html Please see the CHANGES_2.3 file, linked from the download page, for a full list of changes. This release includes the Apache Portable Runtime (APR) version 1.4.2 and APR-Util version 1.3.9 in a separate -d</pre> Jim Jagielski 2010-06-21T16:20:41 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.apache.announce