Commit 4c5be72f authored by Jim Jagielski's avatar Jim Jagielski
Browse files

Work on announcement 


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@396531 13f79535-47bb-0310-9956-ffa450edef68
parent 575d77b0

Announcement

+28 −41
Original line number Diff line number Diff line 


                   Apache HTTP Server 1.3.34 Released

                   Apache HTTP Server 1.3.35 Released



   The Apache Software Foundation and The Apache HTTP Server Project are

   pleased to announce the release of version 1.3.34 of the Apache HTTP

   Server ("Apache").  This Announcement notes the significant changes

   in 1.3.34 as compared to 1.3.33.



   The Announcement is also available in German and Japanese from:



        http://www.apache.org/dist/httpd/Announcement.txt.de

        http://www.apache.org/dist/httpd/Announcement.txt.ja

   in 1.3.35 as compared to 1.3.34.



   This version of Apache is principally a bug and security fix release.

   A partial summary of the bug fixes is given at the end of this document.

   A full listing of changes can be found in the CHANGES file.  Of

   particular note is that 1.3.34 addresses and fixes 2 potential

   security issues:



     o If a request contains both Transfer-Encoding and 

       Content-Length headers, remove the Content-Length, mitigating some 

       HTTP Request Splitting/Spoofing attacks.

   particular note is that 1.3.35 addresses and fixes 1 potential

   security issue:



     o Added TraceEnable [on|off|extended] per-server directive to alter

       the behavior of the TRACE method.

     o CVE-2005-3352 (cve.mitre.org)

       mod_imap: Escape untrusted referer header before outputting in HTML

       to avoid potential cross-site scripting.  Change also made to

       ap_escape_html so we escape quotes.  Reported by JPCERT



   We consider Apache 1.3.34 to be the best version of Apache 1.3 available

   We consider Apache 1.3.35 to be the best version of Apache 1.3 available

   and we strongly recommend that users of older versions, especially of

   the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further

   releases will be made in the 1.2.x family.
@@ -72,33 +65,25 @@ 
   non-Unix ports do not generally apply to the Unix version, due to

   software's Unix origin.



   Apache 2.0 has been structured for multiple operating systems from its 

   Apache 2.0/2.2 has been structured for multiple operating systems from its 

   inception, by introducing the Apache Portability Library and MPM modules.

   Users on Unix and non-Unix platforms are strongly encouraged to move up to 

   Apache 2.0 for better performance, stability and security on their

   platforms. We consider Apache 2.0.55 to be the best available version at

   the time of this release.  We offer Apache 1.3.34 as the best legacy

   version of Apache 1.3 available, and strongly recommend that users who

   require compatibility with existing Apache 1.3 installations should

   Apache 2.0/2.2 for better performance, stability and security on their

   platforms. We consider Apache 2.0.57 and 2.2.2 to be the best available

   versions at the time of this release.  We offer Apache 1.3.35 as the best

   legacy  version of Apache 1.3 available, and strongly recommend that users

   who require compatibility with existing Apache 1.3 installations should

   upgrade as soon as possible.  Users should first consider upgrading to

   the current release of Apache 2 instead.



                     Apache 1.3.34 Major changes

                     Apache 1.3.35 Major changes



  Security vulnerabilities



     * SECURITY: core: If a request contains both Transfer-Encoding and 

       Content-Length headers, remove the Content-Length, mitigating some 

       HTTP Request Splitting/Spoofing attacks.  This has no impact on

       mod_proxy_http, yet affects any module which supports chunked

       encoding yet fails to prefer T-E: chunked over the Content-Length

       purported value.



     * Added TraceEnable [on|off|extended] per-server directive to alter

       the behavior of the TRACE method.  This addresses a flaw in proxy

       conformance to RFC 2616 - previously the proxy server would accept

       a TRACE request body although the RFC prohibited it.  The default

       remains 'TraceEnable on'.

     * SECURITY: CVE-2005-3352 (cve.mitre.org)

       mod_imap: Escape untrusted referer header before outputting in HTML

       to avoid potential cross-site scripting.  Change also made to

       ap_escape_html so we escape quotes.  Reported by JPCERT.



  New features
@@ -108,13 +93,15 @@ 


   New features that relate to all platforms:



     * None

     * core: Allow usage of the "Include" configuration directive within

       previously "Include"d files. [Colm MacCarthaigh]



  Bugs fixed



   The following noteworthy bugs were found in Apache 1.3.33 (or earlier)

   and have been fixed in Apache 1.3.34:

   The following noteworthy bugs were found in Apache 1.3.34 (or earlier)

   and have been fixed in Apache 1.3.35:



     * HTML-escape the Expect error message.



     * hsregex: fix potential core dumping on 64 bit machines, such as

       AMD64. PR 31858.

     * mod_digest: Fix another nonce string calculation issue.
 
     * mod_cgi: Remove block on OPTIONS method so that scripts can

     respond to OPTIONS directly rather than via server default.