gmane.comp.apache.announce
http://blog.gmane.org/gmane.comp.apache.announce
hourly11901-01-01T00:00+00:00Gmanehttp://gmane.org/img/gmane-25t.png
http://gmane.org
[ANNOUNCEMENT] Apache HTTP Server 2.4.2 Released
http://comments.gmane.org/gmane.comp.apache.announce/64
<pre> Apache HTTP Server 2.4.2 Released
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.2 of the Apache
HTTP Server ("Apache"). This version of Apache is our 2nd GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This version of Apache is
principally a security and bug fix release, including the following
security fix:
*) SECURITY: CVE-2012-0883 (cve.mitre.org)
envvars: Fix insecure handling of LD_LIBRARY_PATH that could
lead to the current working directory to be searched for DSOs.
Apache HTTP Server 2.4.2 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.4 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.2 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_24.html
This release requires the Apache Portable Runtime (APR) version 1.4.x
and APR-Util version 1.4.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
NOTE to Windows users: AcceptFilter None has replaced Win32DisableAcceptEx
and the feature appears to have interoperability issues with mod_ssl.
Apache 2.4.2 may not yet be suitable for all Windows servers. There
is not yet a Windows binary distribution of httpd 2.4, but this is
expected to be remedied soon as various dependencies graduate from
beta to GA.
</pre>Jim Jagielski2012-04-17T12:32:53[ANNOUNCEMENT] Apache HTTP Server 2.4.1 Released
http://comments.gmane.org/gmane.comp.apache.announce/63
<pre> Apache HTTP Server 2.4.1 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the GA release of version 2.4.1 of the Apache HTTP
Server. This version of Apache HTTP Server is the first GA release of
the new 2.4.x branch.
Apache HTTP Server 2.4 provides a number of improvements and
enhancements over the 2.2 version. A listing and description of these
features is available via:
http://httpd.apache.org/docs/2.4/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes.
We consider this release to be the best version of Apache HTTP Server
available, and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.4.1 is available for download from:
http://httpd.apache.org/download.cgi
This release requires the Apache Portable Runtime (APR) version 1.4.x
and APR-Util version 1.4.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and may require minimal source code changes.
http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html
A summary of all of the security vulnerabilities addressed in this and
earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_24.html
Important:
Windows users: AcceptFilter None has replaced Win32DisableAcceptEx
and the feature appears to have interoperability issues with mod_ssl.
Apache 2.4.1 may not yet be suitable for all Windows servers. There
is not yet a Windows binary distribution of httpd 2.4, but this is
expected to be remedied soon as various dependencies graduate from
beta to GA.
</pre>Jim Jagielski2012-02-21T13:56:57Apache HTTP Server 2.2.22 Released
http://comments.gmane.org/gmane.comp.apache.announce/62
<pre> Apache HTTP Server 2.2.22 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.22 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix release, including the following significant security fixes:
* SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations.
* SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file.
* SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
* SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17.
* SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
could cause the parent to crash at shutdown rather than terminate
cleanly.
* SECURITY: CVE-2012-0053 (cve.mitre.org)
Fixed an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
The Apache HTTP Project thanks halfdog, Context Information Security Ltd,
Prutha Parikh of Qualys, and Norman Hippert for bringing these issues to
the attention of the security team.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.22 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.22 includes only
those changes introduced since the prior 2.2 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.5
and APR Utility Library (APR-util) version 1.4.2, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
APR-util version 1.4 represents a minor version upgrade from earlier
httpd source distributions, which previously included version 1.3.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
</pre>William A. Rowe Jr.2012-01-31T22:34:24Advisory: mod_proxy reverse proxy exposure (CVE-2011-3368)
http://comments.gmane.org/gmane.comp.apache.announce/61
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Apache HTTP Server Security Advisory
====================================
Title: mod_proxy reverse proxy exposure
CVE: CVE-2011-3368
Date: 20111005
Product: Apache HTTP Server
Versions: httpd 1.3 all versions, httpd 2.x all versions
Description:
============
An exposure was reported affecting the use of Apache HTTP Server in
reverse proxy mode. We would like to thank Context Information
Security Ltd for reporting this issue to us.
When using the RewriteRule or ProxyPassMatch directives to configure a
reverse proxy using a pattern match, it is possible to inadvertently
expose internal servers to remote users who send carefully crafted
requests. The server did not validate that the input to the pattern
match was a valid path string, so a pattern could expand to an
unintended target URL.
For future releases of the Apache HTTP Server, the software will
validate the request URI, correcting this specific vulnerability. The
documentation has been updated to reflect the more general risks with
pattern matching in a reverse proxy configuration.
Details:
========
A configuration like one of the following examples:
RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
ProxyPassMatch (.*)\.(jpg|gif|png) http://images.example.com$1.$2
could result in an exposure of internal servers. A request of the form:
GET < at >other.example.com/something.png HTTP/1.1
would get translated to a target of:
http://images.example.com< at >other.example.com/something.png
This will cause the proxy to connect to the hostname
"other.example.com", as the "images.example.com< at >" segment would be
treated as user credentials when parsing the URL. This would allow a
remote attacker the ability to proxy to hosts other than those
expected, which could be a security exposure in some circumstances.
The request-URI string in this example,
"< at >other.example.com/something.png", is not valid according to the HTTP
specification, since it neither an absolute URI
("http://example.com/path") nor an absolute path ("/path"). For
future releases, the server has been patched to reject such requests,
instead returning a "400 Bad Request" error.
Actions:
========
Apache HTTPD users should examine their configuration files to determine
if they have used an insecure configuration for reverse proxying.
Affected users can update their configuration, or apply the patch from:
http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/
For example, the above RewriteRule could be changed to:
RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P]
to ensure the pattern only matches against paths with a leading "/".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk6MZZAACgkQR/aWnQ5EzwxdfQCg0yX+OplatMPQcweRneRmh5Xp
5sEAoLooi9H4LW12oPgStNbY2wtyQrYP
=8qjg
-----END PGP SIGNATURE-----
</pre>Joe Orton2011-10-05T14:15:41Apache HTTP Server 2.2.21 Released
http://comments.gmane.org/gmane.comp.apache.announce/60
<pre> The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.21 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix release:
* SECURITY: CVE-2011-3348 (cve.mitre.org)
mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
unrecognized HTTP methods from marking ajp: balancer members
in an error state, avoiding denial of service.
* SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Further fixes to the handling of byte-range requests to use
less memory, to avoid denial of service. This patch includes fixes
to the patch introduced in release 2.2.20 for protocol compliance,
as well as the MaxRanges directive.
Note the further advisories on the state of CVE-2011-3192 will no longer
be broadcast, but will be kept up to date at;
http://httpd.apache.org/security/CVE-2011-3192.txt
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.21 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.21 provides the
complete list of changes since 2.2.19. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.5
and APR Utility Library (APR-util) version 1.3.12, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
</pre>William A. Rowe Jr.2011-09-14T06:32:48Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
http://comments.gmane.org/gmane.comp.apache.announce/59
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Apache HTTPD Security ADVISORY
==============================
UPDATE 2
Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x
CVE: CVE-2011-3192
Last Change: 20110826 1030Z
Date: 20110824 1600Z
Product: Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions
Changes since last update
=========================
In addition to the 'Range' header - the 'Range-Request' header is equally
affected. Furthermore various vendor updates, improved regexes (speed and
accommodating a different and new attack pattern).
Description:
============
A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server:
http://seclists.org/fulldisclosure/2011/Aug/175
An attack tool is circulating in the wild. Active use of this tool has
been observed.
The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.
The default Apache HTTPD installation is vulnerable.
There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability. This advisory will be updated when a long term fix
is available.
A full fix is expected in the next 24 hours.
Background and the 2007 report
==============================
There are two aspects to this vulnerability. One is new, is Apache specific;
and resolved with this server side fix. The other issue is fundamentally a
protocol design issue dating back to 2007:
http://seclists.org/bugtraq/2007/Jan/83
The contemporary interpretation of the HTTP protocol (currently) requires a
server to return multiple (overlapping) ranges; in the order requested. This
means that one can request a very large range (e.g. from byte 0- to the end)
100's of times in a single request.
Being able to do so is an issue for (probably all) webservers and currently
subject of an IETF discussion to change the protocol:
http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311
This advisory details a problem with how Apache httpd and its so called
internal 'bucket brigades' deal with serving such "valid" request. The
problem is that currently such requests internally explode into 100's of
large fetches, all of which are kept in memory in an inefficient way. This
is being addressed in two ways. By making things more efficient. And by
weeding out or simplifying requests deemed too unwieldy.
Mitigation:
===========
There are several immediate options to mitigate this issue until a full fix
is available. Below examples handle both the 'Range' and the legacy
'Request-Range' with various levels of care.
Note that 'Request-Range' is a legacy name dating back to Netscape Navigator
2-3 and MSIE 3. Depending on your user community - it is likely that you
can use option '3' safely for this older 'Request-Range'.
1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.
Option 1: (Apache 2.2)
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
CustomLog logs/range-CVE-2011-3192.log common env=bad-req-range
Above may not work for all configurations. In particular situations
mod_cache and (language) modules may act before the 'unset'
is executed upon during the 'fixup' phase.
Option 2: (Pre 2.2 and 1.3)
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$)
# RewriteCond %{HTTP:request-range} !(bytes=[^,]+(?:,[^,]+){0,4}$|^$)
RewriteRule .* - [F]
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
The number 5 is arbitrary. Several 10's should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.
2) Limit the size of the request field to a few hundred bytes. Note that while
this keeps the offending Range header short - it may break other headers;
such as sizeable cookies or security fields.
LimitRequestFieldSize 200
Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.
See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
3) Use mod_headers to completely dis-allow the use of Range headers:
RequestHeader unset Range
Note that this may break certain clients - such as those used for
e-Readers and progressive/http-streaming video.
Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific
legacy header - add:
RequestHeader unset Request-Range
Unlike the commonly used 'Range' header - dropping the 'Request-Range'
is not likely to affect many clients.
4) Deploy a Range header count module as a temporary stopgap measure:
http://people.apache.org/~dirkx/mod_rangecnt.c
Precompiled binaries for some platforms are available at:
http://people.apache.org/~dirkx/BINARIES.txt
5) Apply any of the current patches under discussion - such as:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g< at >mail.gmail.com%3e
http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1161534
OS and Vendor specific information
==================================
Red Hat: Option 1 cannot be used on Red Hat Enterprise Linux 4.
https://bugzilla.redhat.com/show_bug.cgi?id=732928
NetWare: Pre compiled binaries available.
mod_security: Has updated their rule set; see
http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html
Actions:
========
Apache HTTPD users who are concerned about a DoS attack against their server
should consider implementing any of the above mitigations immediately.
When using a third party attack tool to verify vulnerability - note that most
of the versions in the wild currently check for the presence of mod_deflate;
and will (mis)report that your server is not vulnerable if this module is not
present. This vulnerability is not dependent on presence or absence of
that module.
Planning:
=========
This advisory will be updated when new information, a patch or a new release
is available. A patch or new Apache release for Apache 2.0 and 2.2 is expected
in the next 24 hours. Note that, while popular, Apache 1.3 is deprecated.
- -- end of advisory - update 2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
iEYEARECAAYFAk5Xdu8ACgkQ/W+IxiHQpxvN8ACgwsUJ6oYMq3SyoPHCR7rqsbP6
DFkAoKhZcF87F96h40tQdM1SZsiVX9N5
=07sc
-----END PGP SIGNATURE-----
</pre>Dirk-Willem van Gulik2011-08-26T10:35:31Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x \(CVE-2011-3192\)
http://comments.gmane.org/gmane.comp.apache.announce/58
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Apache HTTPD Security ADVISORY
==============================
Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x
CVE: CVE-2011-3192:
Date: 20110824 1600Z
Product: Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions
Description:
============
A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server:
http://seclists.org/fulldisclosure/2011/Aug/175
An attack tool is circulating in the wild. Active use of this tools has
been observed.
The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.
The default Apache HTTPD installation is vulnerable.
There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability. This advisory will be updated when a long term fix
is available.
A full fix is expected in the next 48 hours.
Mitigation:
============
However there are several immediate options to mitigate this issue until
a full fix is available:
1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.
Option 1: (Apache 2.0 and 2.2)
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
Option 2: (Also for Apache 1.3)
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]
The number 5 is arbitrary. Several 10's should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.
2) Limit the size of the request field to a few hundred bytes. Note that while
this keeps the offending Range header short - it may break other headers;
such as sizeable cookies or security fields.
LimitRequestFieldSize 200
Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.
See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
3) Use mod_headers to completely dis-allow the use of Range headers:
RequestHeader unset Range
Note that this may break certain clients - such as those used for
e-Readers and progressive/http-streaming video.
4) Deploy a Range header count module as a temporary stopgap measure:
http://people.apache.org/~dirkx/mod_rangecnt.c
Precompiled binaries for some platforms are available at:
http://people.apache.org/~dirkx/BINARIES.txt
5) Apply any of the current patches under discussion - such as:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g< at >mail.gmail.com%3e
Actions:
========
Apache HTTPD users who are concerned about a DoS attack against their server
should consider implementing any of the above mitigations immediately.
When using a third party attack tool to verify vulnerability - know that most
of the versions in the wild currently check for the presence of mod_deflate;
and will (mis)report that your server is not vulnerable if this module is not
present. This vulnerability is not dependent on presence or absence of
that module.
Planning:
=========
This advisory will be updated when new information, a patch or a new release
is available. A patch or new apache release for Apache 2.0 and 2.2 is expected
in the next 48 hours. Note that, while popular, Apache 1.3 is deprecated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
iEYEARECAAYFAk5VI+MACgkQ/W+IxiHQpxsz4wCgipR6nQmd45hAgFmI/8dHULLF
BtoAmQGsi2efZKibpaSMI+aCt8fQgWgS
=11BG
-----END PGP SIGNATURE-----
</pre>Dirk-Willem van Gulik2011-08-24T16:16:39Apache HTTP Server 2.2.19 Released
http://comments.gmane.org/gmane.comp.apache.announce/57
<pre> Apache HTTP Server 2.2.19 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.19 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a bug fix
release, correcting regressions in the httpd 2.2.18 package; the use
of that previous 2.2.18 package is discouraged due to these flaws:
* SECURITY: CVE-2011-1928 (cve.mitre.org)
A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419
introduced a new vulnerability. httpd workers enter a hung state
(100% cpu utilization) after updating to APR 1.4.4. Upgrading to
APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3
or prior with the 'IgnoreClient' option of the 'IndexOptions'
directive will circumvent both issues.
* httpd 2.2.18: The ap_unescape_url_keep2f() function signature was
inadvertantly changed. This breaks binary compatibility of a number
of third-party modules. This httpd-2.2.19 package restores the
function signature provided by 2.2.17 and prior.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.19 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.19 provides the
complete list of changes since 2.2.18. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.5
and APR Utility Library (APR-util) version 1.3.12, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
</pre>William A. Rowe Jr.2011-05-22T15:33:32Apache HTTP Server 2.2.18 Released
http://comments.gmane.org/gmane.comp.apache.announce/55
<pre> Apache HTTP Server 2.2.18 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.18 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a bug fix
release, and a security fix release of the APR 1.4.4 dependency;
* SECURITY: CVE-2011-0419 (cve.mitre.org)
apr_fnmatch flaw leads to mod_autoindex remote DoS
Where mod_autoindex is enabled, and a directory indexed by
mod_autoindex contained files with sufficiently long names,
a carefully crafted request may cause excessive CPU usage
Upgrading to APR 1.4.4, or setting the 'IgnoreClient' option
of the 'IndexOptions' directive circumvents this risk.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.18 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.18 provides the
complete list of changes since 2.2.17. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.4
and APR Utility Library (APR-util) version 1.3.11, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
</pre>William A. Rowe Jr.2011-05-12T04:10:40Apache HTTP Server 2.3.11-Beta Released
http://comments.gmane.org/gmane.comp.apache.announce/54
<pre> Apache HTTP Server 2.3.11-beta Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.3.11-beta of the Apache HTTP
Server ("Apache"). This version of Apache is our initial Beta release
of Apache httpd 2.4 to test new technology and features that are incompatible
or too large for the stable 2.2.x branch. This Beta release should not be
presumed to be compatible with binaries built against any prior or future
version, although, as a Beta, the API is in a semi-frozen state.
Apache HTTP Server 2.3.11-beta is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.3 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.3 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.3 file, linked from the download page, for a
full list of changes.
This release includes the Apache Portable Runtime (APR) version 1.4.2
and APR-Util version 1.3.10 in a separate -deps tarball. The APR libraries
must be upgraded for all features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.3, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
</pre>Jim Jagielski2011-03-07T14:00:15[ANNOUNCEMENT] Apache httpd 2.3.10-alpha released
http://comments.gmane.org/gmane.comp.apache.announce/53
<pre>The expected-to-be-final alpha release of Apache HTTP Server
(aka, Apache httpd) 2.3.10-alpha is now available for download,
test and use.
Based on user and developer feedback, the next release of the
next-gen version of Apache httpd will likely be our first beta.
The hope and expectation is to push for a quick beta cycle and
a 2.4.0 GA release around the beginning of 2011.
Apache httpd 2.3.10-alpha can be found at:
http://httpd.apache.org/
</pre>Jim Jagielski2010-12-22T13:22:16libapreq2-2.13 Released
http://comments.gmane.org/gmane.comp.apache.announce/52
<pre>
libapreq2-2.13 Released
The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.13 release of libapreq2. This
Announcement notes significant changes introduced by this release.
libapreq2-2.13 is released under the Apache License
version 2.0. It is now available through the ASF mirrors
http://httpd.apache.org/apreq/download.cgi
and has entered the CPAN as
file: $CPAN/authors/id/I/IS/ISAAC/libapreq2-2.13.tar.gz
size: 891320 bytes
md5: c11fb0861aa84dcc6cd0f0798b045eee
libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data. This package provides
1) version 2.8.0 of the libapreq2 library,
2) mod_apreq2, a filter module necessary for using libapreq2
within the Apache HTTP Server,
3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
perl modules for using libapreq2 with mod_perl2.
========================================================================
Changes with libapreq2-2.13 (released December 3, 2010)
- HTTP Only Cookie [Robert Stone & Adam Prime]
The C and Perl Cookie APIs now support an HttpOnly flag to tell
user agents to deny client-side script access to the cookie
</pre>issac< at >apache.org2010-12-03T11:52:12mod_fcgid 2.3.6 is released
http://comments.gmane.org/gmane.comp.apache.announce/51
<pre> The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.3.6 of mod_fcgid, a
FastCGI implementation for Apache HTTP Server versions 2.0, 2.2, and
future 2.4. This version of mod_fcgid is a bug fix release.
A fix is included for CVE-2010-3872, a potential vulnerability which
can affect sites with untrusted FastCGI applications.
Additionally, default configuration settings for request body handling
have been changed to prevent large system resource use. Administrators
of all versions of mod_fcgid are strongly cautioned to ensure that
FcgidMaxRequestLen is configured appropriately.
mod_fcgid is available for download from:
http://httpd.apache.org/download.cgi
A full list of changes in this release follows:
*) SECURITY: CVE-2010-3872 (cve.mitre.org)
Fix possible stack buffer overwrite. Diagnosed by the reporter.
PR 49406. [Edgar Frank <ef-lists email.de>]
*) Change the default for FcgidMaxRequestLen from 1GB to 128K.
Administrators should change this to an appropriate value based on
site requirements. [Jeff Trawick]
*) Allow FastCGI apps more time to exit at shutdown before being
forcefully killed. [Jeff Trawick]
*) Correct a problem that resulted in FcgidMaxProcesses being ignored
in some situations. PR 48981. [<rkosolapov gmail.com>]
*) Fix the search for processes with the proper vhost config when
ServerName isn't set in every vhost or a module updates
r->server->server_hostname dynamically (e.g., mod_vhost_cdb)
or a module updates r->server dynamically (e.g., mod_vhost_ldap).
[Jeff Trawick]
*) FcgidPassHeader now maps header names to environment variable names
in the usual manner: The header name is converted to upper case and
is prefixed with HTTP_. An additional environment variable is
created with the legacy name. PR 48964. [Jeff Trawick]
*) Allow processes to be reused within multiple phases of a request
by releasing them into the free list as soon as possible.
[Chris Darroch]
*) Fix lookup of process command lines when using FcgidWrapper or
access control directives, including within .htaccess files.
[Chris Darroch]
*) Resolve a regression in 2.3.5 with httpd 2.0.x on some Unix platforms;
ownership of mutex files was incorrect, resulting in a startup failure.
PR 48651. [Jeff Trawick, <pservit gmail.com>]
*) Return 500 instead of segfaulting when the application returns no output.
[Tatsuki Sugiura <sugi nemui.org>, Jeff Trawick]
*) In FCGI_AUTHORIZER role, avoid spawning a new process for every
different HTTP request. [Chris Darroch]
</pre>Jeff Trawick2010-11-07T21:43:40Apache HTTP Server 2.2.17 and 2.0.64 Released
http://comments.gmane.org/gmane.comp.apache.announce/50
<pre>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.17 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a bug fix
release, and a security fix release of the APR-util 1.3.10 dependency;
* SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against apr_brigade_split_line().
* SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
Fix two buffer over-read flaws in the bundled copy of expat which
could cause httpd to crash while parsing specially-crafted
XML documents.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.17 is available for download from:
http://httpd.apache.org/download.cgi
Apache HTTP Server 2.0.64 legacy release is also currently available,
with the same vulnerability correction as well as many others fixed in
2.2.16 and earlier releases. See the corresponding CHANGES files linked
from the download page. The Apache HTTP Project developers strongly
encourage all users to migrate to Apache 2.2, as only limited and less
frequent maintenance is provided for legacy versions.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.17 provides the
complete list of changes since 2.2.16. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.2
and APR Utility Library (APR-util) version 1.3.10, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
</pre>William A. Rowe Jr.2010-10-19T16:27:33Apache HTTP Server 2.2.17 and 2.0.64 Released
http://comments.gmane.org/gmane.comp.apache.announce/50
<pre>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.17 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a bug fix
release, and a security fix release of the APR-util 1.3.10 dependency;
* SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against apr_brigade_split_line().
* SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
Fix two buffer over-read flaws in the bundled copy of expat which
could cause httpd to crash while parsing specially-crafted
XML documents.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.17 is available for download from:
http://httpd.apache.org/download.cgi
Apache HTTP Server 2.0.64 legacy release is also currently available,
with the same vulnerability correction as well as many others fixed in
2.2.16 and earlier releases. See the corresponding CHANGES files linked
from the download page. The Apache HTTP Project developers strongly
encourage all users to migrate to Apache 2.2, as only limited and less
frequent maintenance is provided for legacy versions.
Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.17 provides the
complete list of changes since 2.2.16. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.2
and APR Utility Library (APR-util) version 1.3.10, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
</pre>William A. Rowe Jr.2010-10-19T16:27:33[ANNOUNCEMENT] Apache HTTP Server 2.3.8-alpha Released
http://comments.gmane.org/gmane.comp.apache.announce/49
<pre> Apache HTTP Server 2.3.8-alpha Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.3.8-alpha of the Apache HTTP
Server ("Apache"). This version of Apache is principally an alpha release
to test new technology and features that are incompatible or too large for
the stable 2.2.x branch. This alpha release should not be presumed to
be compatible with binaries built against any prior or future version.
This release is expected to be the last alpha release; subsequent releases
will be beta releases as we move towards 2.4.0-GA.
Apache HTTP Server 2.3.8-alpha is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.3 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.3 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.3 file, linked from the download page, for a
full list of changes.
This release includes the Apache Portable Runtime (APR) version 1.4.2
and APR-Util version 1.3.9 in a separate -deps tarball. The APR libraries
must be upgraded for all features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.3, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
</pre>Jim Jagielski2010-08-31T14:16:12[ANNOUNCEMENT] Apache HTTP Server 2.3.6-alpha Released
http://comments.gmane.org/gmane.comp.apache.announce/48
<pre> Apache HTTP Server 2.3.6-alpha Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.3.6-alpha of the Apache HTTP
Server ("Apache"). This version of Apache is principally an alpha release
to test new technology and features that are incompatible or too large for
the stable 2.2.x branch. This alpha release should not be presumed to
be compatible with binaries built against any prior or future version.
Apache HTTP Server 2.3.6-alpha is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.3 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.3 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.3 file, linked from the download page, for a
full list of changes.
This release includes the Apache Portable Runtime (APR) version 1.4.2
and APR-Util version 1.3.9 in a separate -deps tarball. The APR libraries
must be upgraded for all features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.3, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
</pre>Jim Jagielski2010-06-21T16:20:41[advisory] httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068
http://comments.gmane.org/gmane.comp.apache.announce/47
<pre>Vulnerability; httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068
Classification; important
Description;
A timeout detection flaw in the httpd mod_proxy_http module causes
proxied response to be sent as the response to a different request,
and potentially served to a different client, from the HTTP proxy
pool worker pipeline.
This may represent a confidential data revealing flaw.
This affects only Netware, Windows or OS2 builds of httpd version
2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha, when the proxy
worker pools have been enabled. Earlier 2.2, 2.0 and 1.3 releases
were not affected.
Acknowledgements;
We would like to thank Loren Anderson for the thorough research
and reporting of this flaw.
Mitigation;
Apply any one of the following mitigations to avert the possibility
of confidential information disclosure.
* Do not load mod_proxy_http.
* Do not configure/enable any http proxy worker pools with ProxySet
or ProxyPass optional arguments.
* The straightforward workaround to disable mod_proxy_http's reuse
of backend connection pipelines is to set the following global
directive;
SetEnv proxy-nokeepalive 1
* Replace mod_proxy_http.so with a patched version, for source code
see http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/ or
http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/ and for
binaries see the http://www.apache.org/dist/httpd/binaries/ tree
for win32 or netware, as appropriate.
* Upgrade to Apache httpd 2.2.16 or higher, once released. There
is no tentative release date scheduled.
Update Released; 11th June 2010
</pre>William A. Rowe Jr.2010-06-11T19:49:17Apache HTTP Server (httpd) 2.2.15 Released
http://comments.gmane.org/gmane.comp.apache.announce/46
<pre>The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release and immediate availability of version
2.2.15 of the Apache HTTP Server ("httpd"). This version of httpd is
principally a security and bug fix release.
Notably, this release was updated to reflect the OpenSSL Project's
release 0.9.8m of the openssl library, and addresses CVE-2009-3555
(cve.mitre.org), the TLS renegotiation prefix injection attack.
This release further addresses the issues CVE-2010-0408, CVE-2010-0425
and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers
respectively.
We consider this release to be the best version of httpd available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.15 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.15 provides the
complete list of changes since 2.2.14. A summary of security
vulnerabilities which were addressed in the previous 2.2.14 and earlier
releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
Apache HTTP Server 2.2.15 is compatible with Apache Portable Runtime
(APR) versions 1.3 and 1.4, APR-util library version 1.3, and
APR-iconv library version 1.2. The most current releases should
be used to address known security and platform bugs. At the time of
this httpd release, the recommended APR releases are:
* Apache Portable Runtime (APR) library version 1.4.2 (bundled),
or at minimum, version 1.3.12
* ARR-util library version 1.3.9 (bundled)
* APR-iconv library version 1.2.1 (only bundled in win32-src.zip)
Older releases of these libraries have known vulnerabilities or other
defects affecting httpd. For further information and downloads, visit:
http://apr.apache.org/
Apache HTTP Server 2.2 offers numerous enhancements, bug fixes, and
performance enhancements over the 2.0 codebase. For an overview of
new features introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds upon and extends the httpd 2.0 API. Modules written
for httpd 2.0 will need to be recompiled in order to run with httpd 2.2,
and may require minimal or no source code changes.
When upgrading or installing this version of httpd, please bear in mind
that if you intend to use httpd with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
</pre>William A. Rowe Jr.2010-03-06T20:35:23Apache HTTP Server 1.3.42 released (final release of 1.3.x)
http://comments.gmane.org/gmane.comp.apache.announce/45
<pre>
Apache HTTP Server 1.3.42 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 1.3.42 of the Apache HTTP
Server ("Apache"). This release is intended as the final release of
version 1.3 of the Apache HTTP Server, which has reached end of life
status.
There will be no more full releases of Apache HTTP Server 1.3.
However, critical security updates may be made available from the
following website:
http://www.apache.org/dist/httpd/patches/
Our thanks go to everyone who has helped make Apache HTTP Server 1.3
the most successful, and most used, webserver software on the planet!
This Announcement notes the significant changes in
1.3.42 as compared to 1.3.41.
This version of Apache is is principally a bug and security fix release.
The following moderate security flaw has been addressed:
* CVE-2010-0010 (cve.mitre.org)
mod_proxy: Prevent chunk-size integer overflow on platforms
where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.
Please see the CHANGES_1.3.42 file in this directory for a full list
of changes for this version.
Apache 1.3.42 is the final stable release of the Apache 1.3 family. We
strongly recommend that users of all earlier versions, including 1.3
family releases, upgrade to to the current 2.2 version as soon as possible.
For information about how to upgrade, please see the documentation:
http://httpd.apache.org/docs/2.2/upgrading.html
Apache 1.3.42 is available for download from
http://httpd.apache.org/download.cgi
This service utilizes the network of mirrors listed at:
http://www.apache.org/mirrors/
Binary distributions may be available for your specific platform from
http://www.apache.org/dist/httpd/binaries/
Binaries distributed by the Apache HTTP Server Project are provided as a
courtesy by individual project contributors. The project makes no
commitment to release the Apache HTTP Server in binary form for any
particular platform, nor on any particular schedule.
IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS
variants. While the ports to non-Unix platforms (such as Win32, Netware or
OS2) will function for some applications, Apache 1.3 is not designed for
these platforms. Apache 2 was designed from the ground up for security,
stability, or performance issues across all modern operating systems.
Users of any non-Unix ports are strongly cautioned to move to Apache 2.
The Apache project no longer distributes non-Unix platform binaries from
the main download pages for Apache 1.3. If absolutely necessary, a binary
may be available at http://archive.apache.org/dist/httpd/.
Apache 1.3.42 Major changes
Security vulnerabilities
The main security vulnerabilities addressed in 1.3.42 are:
*) SECURITY: CVE-2010-0010 (cve.mitre.org)
mod_proxy: Prevent chunk-size integer overflow on platforms
where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.
Bugfixes addressed in 1.3.42 are:
*) Protect logresolve from mismanaged DNS records that return
blank/null hostnames.
</pre>Colm MacCarthaigh2010-02-03T00:03:34Apache HTTP Server 2.3.5-alpha Released
http://comments.gmane.org/gmane.comp.apache.announce/44
<pre>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Apache HTTP Server 2.3.5-alpha Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.3.5-alpha of the Apache HTTP
Server ("Apache"). This version of Apache is principally an alpha release
to test new technology and features that are incompatible or too large for
the stable 2.2.x branch. This alpha release should not be presumed to
be compatible with binaries built against any prior or future version.
Apache HTTP Server 2.3.5-alpha is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.3 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.3 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.3 file, linked from the download page, for a
full list of changes.
This release includes the Apache Portable Runtime (APR) version 1.4.2
and APR-Util version 1.3.9 in a separate -deps tarball. The APR libraries
must be upgraded for all features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.3, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkth7HAACgkQ94h19kJyHwDjxwCeP4E1Xpts6XJO3wua1Hm2Ds8A
hi0An2MCpiAdVGKQLjrK5ixxzaAq1kIg
=+YL2
-----END PGP SIGNATURE-----
</pre>Paul Querna2010-01-28T19:59:37Search EngineSearch the mailing list at Gmanequery
http://search.gmane.org/?group=$group=gmane.comp.apache.announce