Get ready to tag 1.3.36 (18efb977) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

Announcement

+27 −29

Original line number	Diff line number	Diff line

		Apache HTTP Server 1.3.35 Released
		Apache HTTP Server 1.3.36 Released

		The Apache Software Foundation and The Apache HTTP Server Project are
		pleased to announce the release of version 1.3.35 of the Apache HTTP
		Server ("Apache"). This Announcement notes the significant changes
		in 1.3.35 as compared to 1.3.34.
		pleased to announce the release of version 1.3.36 of the Apache HTTP
		Server ("Apache"). This Announcement notes the significant change
		in 1.3.36 as compared to 1.3.35.

		This version of Apache is principally a bug and security fix release.
		A partial summary of the bug fixes is given at the end of this document.
		This version of Apache is principally a bug fix release. A partial
		summary of the bug fixes is given at the end of this document.
		A full listing of changes can be found in the CHANGES file. Of
		particular note is that 1.3.35 addresses and fixes 1 potential
		security issue:
		particular note is that 1.3.36 addresses and fixes 1 major
		regression introduced in 1.3.35:

		o CVE-2005-3352 (cve.mitre.org)
		mod_imap: Escape untrusted referer header before outputting in HTML
		to avoid potential cross-site scripting. Change also made to
		ap_escape_html so we escape quotes. Reported by JPCERT
		o Use of wildcards in the "Include" directive now works
		again. The new feature introduced in 1.3.35 (Allow usage
		of the "Include" configuration directive within
		previously "Include"d files) has been removed in
		the meantime.

		We consider Apache 1.3.35 to be the best version of Apache 1.3 available
		We consider Apache 1.3.36 to be the best version of Apache 1.3 available
		and we strongly recommend that users of older versions, especially of
		the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
		releases will be made in the 1.2.x family.

		Apache 1.3.35 is available for download from:
		Apache 1.3.36 is available for download from:

		http://httpd.apache.org/download.cgi

		@@ -69,21 +70,18 @@
		inception, by introducing the Apache Portability Library and MPM modules.
		Users on Unix and non-Unix platforms are strongly encouraged to move up to
		Apache 2.0/2.2 for better performance, stability and security on their
		platforms. We consider Apache 2.0.57 and 2.2.2 to be the best available
		versions at the time of this release. We offer Apache 1.3.35 as the best
		platforms. We consider Apache 2.0.58 and 2.2.2 to be the best available
		versions at the time of this release. We offer Apache 1.3.36 as the best
		legacy version of Apache 1.3 available, and strongly recommend that users
		who require compatibility with existing Apache 1.3 installations should
		upgrade as soon as possible. Users should first consider upgrading to
		the current release of Apache 2 instead.

		Apache 1.3.35 Major changes
		Apache 1.3.36 Major changes

		Security vulnerabilities

		* SECURITY: CVE-2005-3352 (cve.mitre.org)
		mod_imap: Escape untrusted referer header before outputting in HTML
		to avoid potential cross-site scripting. Change also made to
		ap_escape_html so we escape quotes. Reported by JPCERT.
		* None

		New features

		@@ -93,15 +91,15 @@

		New features that relate to all platforms:

		* core: Allow usage of the "Include" configuration directive within
		previously "Include"d files. [Colm MacCarthaigh]
		* None

		Bugs fixed

		The following noteworthy bugs were found in Apache 1.3.34 (or earlier)
		and have been fixed in Apache 1.3.35:

		* HTML-escape the Expect error message.
		The following noteworthy bug(s) were found in Apache 1.3.35 (or earlier)
		and have been fixed in Apache 1.3.36:

		* mod_cgi: Remove block on OPTIONS method so that scripts can
		respond to OPTIONS directly rather than via server default.
		* Reverted SVN rev #396294 due to unwanted regression.
		The new feature introduced in 1.3.35 (Allow usage of the
		"Include" configuration directive within previously "Include"d
		files) has been removed in the meantime.
		(http://svn.apache.org/viewcvs?rev=396294&view=rev)

STATUS

+1 −1

Original line number	Diff line number	Diff line
		@@ -3,7 +3,7 @@ APACHE 1.3 STATUS: --text--

		Release:

		1.3.36: In development. Jim plans to T&R May 12.
		1.3.36: Tagged May 14, 2006.
		1.3.35: Tagged April 24, 2006. Announced May 1, 2006.
		1.3.34: Tagged October 13, 2005. Announced October 18, 2005.
		1.3.33: Tagged October 27, 2004. Announced October 29, 2004.

src/CHANGES

+3 −0

Original line number	Diff line number	Diff line
		Changes with Apache 1.3.36

		*) Reverted SVN rev #396294 due to unwanted regression.
		The new feature introduced in 1.3.35 (Allow usage of the
		"Include" configuration directive within previously "Include"d
		files) has been removed in the meantime.
		(http://svn.apache.org/viewcvs?rev=396294&view=rev)

		Changes with Apache 1.3.35

src/include/httpd.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -388,7 +388,7 @@ extern "C" {

		#define SERVER_BASEVENDOR "Apache Group"
		#define SERVER_BASEPRODUCT "Apache"
		#define SERVER_BASEREVISION "1.3.36-dev"
		#define SERVER_BASEREVISION "1.3.36"
		#define SERVER_BASEVERSION SERVER_BASEPRODUCT "/" SERVER_BASEREVISION

		#define SERVER_PRODUCT SERVER_BASEPRODUCT
		@@ -409,7 +409,7 @@ API_EXPORT(const char *) ap_get_server_built(void);
		* Always increases along the same track as the source branch.
		* For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'.
		*/
		#define APACHE_RELEASE 10336000
		#define APACHE_RELEASE 10336100

		#define SERVER_PROTOCOL "HTTP/1.1"
		#ifndef SERVER_SUPPORT