Nabble - Apache HTTP Server - Announce

[ANNOUNCEMENT] Apache HTTP Server 2.2.10 Released

2008-10-31T04:52:46Z

Apache HTTP Server 2.2.10 Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.10 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a bug and
security fix release. The following potential security flaws are
addressed:

* CVE-2008-2939 (cve.mitre.org)
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the
path of the FTP URL. Discovered by Marc Bevand of Rapid7.

We consider this release to be the best version of Apache
available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.10 is available for download from:

http://httpd.apache.org/download.cgi

Apache 2.2 offers numerous enhancements, improvements, and
performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:

http://httpd.apache.org/docs/2.2/new_features_2_2.html

Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.10 provides the
complete list of changes since 2.2.9. A summary of security
vulnerabilities which were addressed in the previous 2.2.9 and
earlier
releases is available:

http://httpd.apache.org/security/vulnerabilities_22.html

Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also
currently
available. See the appropriate CHANGES from the url above. See the
corresponding CHANGES files linked from the download page. The
Apache
HTTP Project developers strongly encourage all users to migrate to
Apache 2.2, as only limited maintenance is performed on these legacy
versions.

This release includes the Apache Portable Runtime (APR) version 1.3.0
bundled with the tar and zip distributions. The APR libraries libapr
and libaprutil (and on Win32, libapriconv) must all be updated to
ensure
binary compatibility and address many known platform bugs.

This release builds on and extends the Apache 2.0 API. Modules
written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.

http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

When upgrading or installing this version of Apache, please bear in
mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.

[ANNOUNCEMENT] Apache HTTP Server 2.2.9 Released

2008-06-14T04:49:09Z

Apache HTTP Server 2.2.9 Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.9 of the Apache HTTP
Server
("Apache"). This version of Apache is principally a bug and
security fix
release. The following potential security flaws are addressed:

* CVE-2008-2364 (cve.mitre.org)
mod_proxy_http: Better handling of excessive interim responses
from origin server to prevent potential denial of service and high
memory usage. Reported by Ryujiro Shibuya.

* CVE-2007-6420 (cve.mitre.org)
mod_proxy_balancer: Prevent CSRF attacks against the balancer-
manager
interface.

We consider this release to be the best version of Apache available,
and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.9 is available for download from:

http://httpd.apache.org/download.cgi

Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced
since 2.0 please see:

http://httpd.apache.org/docs/2.2/new_features_2_2.html

Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.9 provides the
complete list of changes since 2.2.8. A summary of security
vulnerabilities
which were addressed in the previous 2.2.8 and earlier releases is
available:

http://httpd.apache.org/security/vulnerabilities_22.html

Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also
currently
available. See the appropriate CHANGES from the url above. See the
corresponding CHANGES files linked from the download page. The Apache
HTTP Project developers strongly encourage all users to migrate to
Apache 2.2, as only limited maintenance is performed on these legacy
versions.

This release includes the Apache Portable Runtime (APR) version 1.3.0
bundled with the tar and zip distributions. The APR libraries libapr
and libaprutil (and on Win32, libapriconv) must all be updated to
ensure
binary compatibility and address many known platform bugs.

This release builds on and extends the Apache 2.0 API. Modules
written
for Apache 2.0 will need to be recompiled in order to run with
Apache 2.2,
and require minimal or no source code changes.

http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/
VERSIONING

When upgrading or installing this version of Apache, please bear in
mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using
(and the libraries they depend on) are thread-safe.

ApacheCon Europe Live Video Streaming - Apache 3.0 Keynote by Roy Fielding

2008-04-08T05:23:17Z

ApacheCon Europe 2008 takes place 7-11 April in Amsterdam.

http://www.eu.apachecon.com/

For those of you who can't make it to Amsterdam, there's the Live
Video Streaming! Especially the Apache 3.0 keynote by Roy Fielding
may be of interest to Apache HTTP Server users (see below).

The following select tracks of ApacheCon will be available with the live
video streaming:

- Wednesday, 9 April: System Administration
- Thursday, 10 April: Web Security
- Friday, 11 April: Web Services and Web 2.0

In addition the following keynote sessions will be broadcasted
(free of charge):

- State of the Feather
Jim Jagielski, Chairman of the Apache Software Foundation,
Wednesday, 9 April, 09:00 CEST

- Using Audio Technology and Open Content to Reduce Global Illiteracy,
Poverty and Disease
Cliff Schmidt, Executive Director of Literacy Bridge,
Wednesday, 9 April, 09:30 CEST

- Apache and Steam Engines: the Magic of Collaborative Innovation
Rishab Aiyer Ghosh, Open Source Initiative Board Member,
Thursday, 10 April, 11:30 CEST

- Apache 3.0 (a Tall Tale)
Roy Fielding, Co-founder of The Apache Software Foundation,
and Vice President, Apache HTTP Server,
Friday, 11 April, 16:30 CEST

All keynote sessions are available free of charge and for all other
sessions the registration cost is just 99 Euro.

http://streaming.linux-magazin.de/en/program_apachecon08.htm

Enjoy the sessions!
--
Lars Eilebrecht
lars@...

[ANNOUNCEMENT] Apache HTTP Server 2.2.8 (2.0.63, 1.3.41) Released

2008-01-19T09:02:26Z

Apache HTTP Server 2.2.8 Released

The Apache Software Foundation and the Apache HTTP Server Project
are
pleased to announce the release of version 2.2.8 of the Apache
HTTP Server
("Apache"). This version of Apache is principally a bug and
security fix
release. The following potential security flaws are addressed:

* CVE-2007-6421 (cve.mitre.org)
mod_proxy_balancer: Correctly escape the worker route and the
worker
redirect string in the HTML output of the balancer manager.
Reported by SecurityReason.

A flaw was found in the mod_proxy_balancer module. On sites
where
mod_proxy_balancer is enabled, a cross-site scripting attack
against
an authorized user is possible.

* CVE-2007-6422 (cve.mitre.org)
Prevent crash in balancer manager if invalid balancer name is
passed
as parameter. Reported by SecurityReason.

A flaw was found in the mod_proxy_balancer module. On sites
where
mod_proxy_balancer is enabled, an authorized user could send a
carefully crafted request that would cause the Apache child
process
handling that request to crash. This could lead to a denial of
service if using a threaded Multi-Processing Module.

* CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason.

A flaw was found in the mod_status module. On sites where
mod_status
is enabled and the status pages were publicly accessible, a
cross-site scripting attack is possible. Note that the server-
status
page is not enabled by default and it is best practice to not
make
this publicly available.

* CVE-2007-5000 (cve.mitre.org)
mod_imagemap: Fix a cross-site scripting issue. Reported by
JPCERT.

A flaw was found in the mod_imap module. On sites where
mod_imap is enabled and an imagemap file is publicly
available, a
cross-site scripting attack is possible.

We consider this release to be the best version of Apache
available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.8 is available for download from:

http://httpd.apache.org/download.cgi

Apache 2.2 offers numerous enhancements, improvements, and
performance
boosts over the 2.0 codebase. For an overview of new features
introduced
since 2.0 please see:

http://httpd.apache.org/docs/2.2/new_features_2_2.html

Please see the CHANGES_2.2 file, linked from the download page,
for a
full list of changes. A condensed list, CHANGES_2.2.8 provides the
complete list of changes since 2.2.6 (2.2.7 was not released). A
summary
of security vulnerabilities which were addressed in the previous
2.2.6
and earlier releases is available:

http://httpd.apache.org/security/vulnerabilities_22.html

Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also
currently
available. See the appropriate CHANGES from the url above. See the
corresponding CHANGES files linked from the download page. The
Apache
HTTP Project developers strongly encourage all users to migrate to
Apache 2.2, as only limited maintenance is performed on these legacy
versions.

This release includes the Apache Portable Runtime (APR) version
1.2.12
bundled with the tar and zip distributions. The APR libraries
libapr
and libaprutil (and on Win32, libapriconv) must all be updated to
ensure
binary compatibility and address many known platform bugs.

This release builds on and extends the Apache 2.0 API. Modules
written
for Apache 2.0 will need to be recompiled in order to run with
Apache 2.2,
and require minimal or no source code changes.

http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/
VERSIONING

When upgrading or installing this version of Apache, please bear
in mind
that if you intend to use Apache with one of the threaded MPMs
(other
than the Prefork MPM), you must ensure that any modules you will
be using
(and the libraries they depend on) are thread-safe.

[ANNOUNCEMENT] Apache HTTP Server 2.0.63 (2.2.8, 1.3.41) Released

2008-01-19T09:02:21Z

Apache HTTP Server 2.0.63 Released

The Apache Software Foundation and the Apache HTTP Server Project
are
pleased to announce the legacy release of version 2.0.63 of the
Apache
HTTP Server ("Apache"). This Announcement notes the significant
changes in
2.0.63 as compared to 2.0.61 (2.0.62 was not released). This
Announcement2.0 document may also be available in multiple
languages at:

http://www.apache.org/dist/httpd/

This version of Apache is principally a bug and security fix
release. The
following potential security flaws are addressed:

* CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason.

A flaw was found in the mod_status module. On sites where
mod_status
is enabled and the status pages were publicly accessible, a
cross-site scripting attack is possible. Note that the server-
status
page is not enabled by default and it is best practice to not
make
this publicly available.

* CVE-2007-5000 (cve.mitre.org)
mod_imagemap: Fix a cross-site scripting issue. Reported by
JPCERT.

A flaw was found in the mod_imap module. On sites where
mod_imap is enabled and an imagemap file is publicly
available, a
cross-site scripting attack is possible.

Please see the CHANGES_2.0.63 file in this directory for a full list
of changes for this version.

This release is compatible with modules compiled for 2.0.42 and
later
versions. We consider this release to be the best version of
Apache 2.0
available and encourage users of all prior versions to upgrade.

This release includes the Apache Portable Runtime library suite
release
version 0.9.17, bundled with the tar and zip distributions. These
libraries; libapr, libaprutil, and on Win32, libapriconv must all be
updated to ensure binary compatibility and address many known
platform
bugs.

Apache HTTP Server 2.0.63 is available for download from

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.0 file, linked from the above page, for
a full
list of changes. A condensed list, CHANGES_2.0.63 provides the
complete
list of changes since 2.0.61.

Apache 2.0 offers numerous enhancements, improvements, and
performance
boosts over the 1.3 codebase. For an overview of new features
introduced
after 1.3 please see

http://httpd.apache.org/docs/2.0/new_features_2_0.html

When upgrading or installing this version of Apache, please keep
in mind
the following: If you intend to use Apache with one of the
threaded MPMs,
you must ensure that the modules (and the libraries they depend
on) that
you will be using are thread-safe. Please refer to the
documentation of
these modules and libraries to obtain this information.

Apache 2.2 offers numerous enhancements, improvements, and
performance
boosts over the 2.0 codebase. For an overview of new features
introduced
after 2.0 please see

http://httpd.apache.org/docs/2.2/new_features_2_2.html

We consider Apache 2.2 to be the best available version at the
time of
this release. We offer Apache 2.0.63 as the best legacy version
of Apache
2.0 available. Users should first consider upgrading to the current
release of Apache 2.2 instead.

[ANNOUNCEMENT] Apache HTTP Server 1.3.41 (2.2.8, 2.0.63) Released

2008-01-19T09:02:17Z

Apache HTTP Server 1.3.41 Released

The Apache Software Foundation and the Apache HTTP Server Project
are
pleased to announce the release of version 1.3.41 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant
changes in
1.3.41 as compared to 1.3.39 (1.3.40 was not released).

This version of Apache is is principally a bug and security fix
release.
The following potential security flaws are addressed:

* CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason.

A flaw was found in the mod_status module. On sites where
mod_status
is enabled and the status pages were publicly accessible, a
cross-site scripting attack is possible. Note that the server-
status
page is not enabled by default and it is best practice to not
make
this publicly available.

* CVE-2007-5000 (cve.mitre.org)
mod_imap: Fix cross-site scripting issue. Reported by JPCERT.

A flaw was found in the mod_imap module. On sites where
mod_imap is enabled and an imagemap file is publicly
available, a
cross-site scripting attack is possible.

* CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers. PR 41144.
With Apache 1.3, the denial of service vulnerability applies
only
to the Windows and NetWare platforms.

Please see the CHANGES_1.3.41 file in this directory for a full list
of changes for this version.

Apache 1.3.41 is the current stable release of the Apache 1.3
family. We
strongly recommend that users of all earlier versions, including 1.3
family release, upgrade to to the current 2.2 version as soon as
possible.

We recommend Apache 1.3.41 version for users who require a third
party
module that is not yet available as an Apache 2.x module. Modules
compiled
for Apache 2.x are not compatible with Apache 1.3, and modules
compiled
for Apache 1.3 are not compatible with Apache 2.x.

Apache 1.3.41 is available for download from

http://httpd.apache.org/download.cgi

This service utilizes the network of mirrors listed at:

http://www.apache.org/mirrors/

Binary distributions may be available for your specific platform
from

http://www.apache.org/dist/httpd/binaries/

Binaries distributed by the Apache HTTP Server Project are
provided as a
courtesy by individual project contributors. The project makes no
commitment to release the Apache HTTP Server in binary form for any
particular platform, nor on any particular schedule.

IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS
variants. While the ports to non-Unix platforms (such as Win32,
Netware or
OS2) will function for some applications, Apache 1.3 is not
designed for
these platforms. Apache 2 was designed from the ground up for
security,
stability, or performance issues across all modern operating
systems.
Users of any non-Unix ports are strongly cautioned to move to
Apache 2.

The Apache project no longer distributes non-Unix platform
binaries from
the main download pages for Apache 1.3. If absolutely necessary,
a binary
may be available at http://archive.apache.org/dist/httpd/.

Apache is the most popular web server in the known universe;
about 2/3 of
the servers on the Internet run Apache HTTP Server, or one of its
variants.

Apache 1.3.41 Major changes

Security vulnerabilities

The main security vulnerabilities addressed in 1.3.41 are:

CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason.

CVE-2007-5000 (cve.mitre.org)
mod_imap: Fix cross-site scripting issue. Reported by JPCERT.

CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers. PR 41144.
With Apache 1.3, the denial of service vulnerability applies only
to the Windows and NetWare platforms.

Bugfixes addressed in 1.3.41 are:

More efficient implementation of the CVE-2007-3304 PID table
patch. This fixes issues with excessive memory usage by the
parent process if long-running and with a high number of child
process forks during that timeframe. Also fixes bogus "Bad pid"
errors.

Apache Portable Runtime 1.2.12 Released

2007-11-26T14:09:32Z

Apache Portable Runtime 1.2.12 Released

The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of
version 1.2.12 of the APR Apache Portable Runtime library.

The Project further announces the General Availability of APR-util
version 1.2.12, the companion Apache Portable Utility library,
and APR-iconv version 1.2.1, an alternative portable implementation
of the 'iconv' library.

In conjunction with this release, the project also announces the
General Availability of legacy version 0.9.17 release of the older
APR 0.x library. Corresponding versions of its companion libraries
APR-util version 0.9.15 and APR-iconv version 0.9.7 remain current.

APR is available for download from:

http://apr.apache.org/download.cgi

This version of APR is principally a bug fix release, including
fixes for specific platforms' configuration, feature detection,
and run time behavior. Most developers are encouraged to adopt
the latest APR 1.x version to ensure the most comprehensive
support and access to the latest features and enhancements.

The mission of the Apache Portable Runtime Project is to create
and maintain software libraries that provide a predictable and
consistent interface to underlying platform-specific
implementations. The primary goal is to provide an API to
which software developers may code and be assured of predictable
if not identical behavior regardless of the platform on which
their software is built, relieving them of the need to code
special-case conditions to work around or take advantage of
platform-specific deficiencies or features.

APR and its companion libraries are implemented entirely in C
and provide a common programming interface across a wide variety
of operating system platforms without sacrificing performance.
Currently supported platforms include:

UNIX variants
Windows
Netware
Mac OS X
OS/2

To give a brief overview, the primary core
subsystems of APR 1.2 include the following:

Atomic operations
Dynamic Shared Object loading
File I/O
Locks (mutexes, condition variables, etc)
Memory management (high performance allocators)
Memory-mapped files
Multicast Sockets
Network I/O
Shared memory
Thread and Process management
Various data structures (tables, hashes, priority queues, etc)

For a more complete list, please refer to the following URLs:

http://apr.apache.org/docs/apr/modules.html
http://apr.apache.org/docs/apr-util/modules.html

Users of APR 0.9 should be aware that migrating to the APR 1.x
programming interfaces may require some adjustments; APR 1.x is
neither source nor binary compatible with earlier APR 0.9 releases.
Users of APR 1.x can expect consistent interfaces and binary backwards
compatibility throughout the entire APR 1.x release cycle, as defined
in our versioning rules:

http://apr.apache.org/versioning.html

APR is already used extensively by the Apache HTTP Server
version 2 and the Subversion revision control system, to
name but a few. We list many known projects using APR at
http://apr.apache.org/projects.html -- so please let us know
if you find our libraries useful in your own projects!

Apache HTTP Server 2.2.6, 2.0.61 and 1.3.39 Released

2007-09-07T10:09:50Z

Apache HTTP Server 2.2.6 Released

The Apache Software Foundation and the Apache HTTP Server Project
are
pleased to announce the release of version 2.2.6 of the Apache
HTTP Server
("Apache"). This version of Apache is principally a bug and
security fix
release.

For details see the Official Announcement and the CHANGES_2.2 and
CHANGES_2.2.6 lists.

-----

Apache HTTP Server 2.0.61 Released

The Apache Software Foundation and the Apache HTTP Server Project
are
pleased to announce the legacy release of version 2.0.61 of the
Apache
HTTP Server ("Apache").

For details see the Official Announcement and the CHANGES_2.0 and
CHANGES_2.0.61 lists.

-----

Apache HTTP Server 1.3.39 Released

The Apache Software Foundation and the Apache HTTP Server Project
are
pleased to announce the release of version 1.3.39 of the Apache HTTP
Server ("Apache").

For details see the Official Announcement and the CHANGES_1.3 and

CHANGES_1.3.39 lists.
-----

Apache HTTP Server is available for download from:

http://httpd.apache.org/download.cgi

Apache 2.2 offers numerous enhancements, improvements, and
performance
boosts over the 2.0 codebase. For an overview of new features
introduced
since 2.0 please see:

http://httpd.apache.org/docs/2.2/new_features_2_2.html

Please see the CHANGES_2.2 file, linked from the download page,
for a
full list of changes. A condensed list, CHANGES_2.2.6 provides the
complete list of changes since 2.2.4 (there was no 2.2.5). A summary
of security vulnerabilities which were addressed in the previous
2.2.6
and earlier releases is available:

http://httpd.apache.org/security/vulnerabilities_22.html

Apache HTTP Server 1.3.39 and 2.0.61 legacy releases are also
currently
available. See the appropriate CHANGES from the url above. See the
corresponding CHANGES files linked from the download page. The
Apache
HTTP Project developers strongly encourage all users to migrate to
Apache 2.2, as only limited maintenance is performed on these legacy
versions.

Apache HTTP Server 2.2.6, 2.0.61 and 1.3.39 Released

2007-09-07T10:09:45Z

ANNOUNCE: Mod_python 3.3.1

2007-02-15T13:54:13Z

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the 3.3.1 release of mod_python. Mod_python 3.3.1
is considered a stable release, suitable for production use.

Mod_python is an Apache HTTP Server module that embeds the Python
language interpreter within the server. With mod_python you can write
web-based applications in Python that will run many times faster than
traditional CGI and will have access to advanced features such as
ability to maintain objects between requests, access to httpd
internals, content filters and connection handlers.

The 3.3.1 release has many new features, feature enhancements, fixed
bugs and other improvements over the previous version. See Appendix A
of mod_python documentation for more details.

Mod_python 3.3.1 is released under the new Apache License version 2.0.

Mod_python 3.3.1 is available for download from:

http://httpd.apache.org/modules/python-download.cgi

More infromation about mod_python is available at:

http://httpd.apache.org/modules/

Many thanks to everyone who contributed to and helped test
this release, without your help it would not be possible!

Regards,

The Apache Mod_python team.

[Announce] Apache HTTP Server 2.2.4 Released

2007-01-10T11:56:06Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apache HTTP Server 2.2.4 Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.4 of the Apache HTTP Server
("Apache"). This version of Apache is principally a bugfix release.

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.4 is available for download from:

http://httpd.apache.org/download.cgi

Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features introduced
since 2.0 please see:

http://httpd.apache.org/docs/2.2/new_features_2_2.html

Please see the CHANGES_2.2 file, linked from the download page, for
a full list of changes. A summary of security vulnerabilities which
were addressed in the previous 2.2.3 and earlier releases is available:

http://httpd.apache.org/security/vulnerabilities_22.html

Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also currently
available. See the appropriate CHANGES from the url above. See the
corresponding CHANGES files linked from the download page. The Apache
HTTP Project developers strongly encourage all users to migrate to
Apache 2.2, as only limited maintenance is performed on these legacy
versions.

This release includes the Apache Portable Runtime (APR) version 1.2.8
bundled with the tar and zip distributions. The APR libraries libapr
and libaprutil (and on Win32, libapriconv) must all be updated to ensure
binary compatibility and address many known platform bugs.

This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache 2.2,
and require minimal or no source code changes.

http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be using
(and the libraries they depend on) are thread-safe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRaVE1fcTqHkQ/eB1AQJ9DAf9ErtsgzDpARyZfptJVGShxvyq894X0lKd
B0x/A8Zxo4Mh0bh2t6gS0TzfSwirMKuziqy823fgrkERJ843W86YPZCYw4pVB+RE
P52JbZi7ri6nG30gKzSZWj03dHa/7bTeEv1YUNy7SbgnmEyYEVI98yMEqEMpLnIE
Sk/cnwhVyuEGnojzhlHPNFlSEy0fbz187zOzuZkxyh7xuqJ/OBsNTIYYcJeQMOSe
Ly1HOcoRA36fVn3CmfpyCheY7HLFpxMBF86PZxfLlMdyyPd3W+ltIPK0bCWgSM0Y
7YJpGauTgb4FK4tluM5RuLC4e3QvTzljES3gNDJAdvtPCHPUCcVsSg==
=U0NI
-----END PGP SIGNATURE-----

ANNOUNCE: Mod_python 3.3.0b (Beta)

2006-12-25T10:07:56Z

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the 3.3.0b (Beta) release of mod_python.

Version 3.3.0b of mod_python features several new functions and
attributes providing better access to apache internals, as well as
many bug fixes and various performance and security improvements. A
detailed description of the changes is available in Appendix A of the
mod_python manual, also available here

http://www.modpython.org/live/mod_python-3.3.0b/doc-html/app-changes-from-3.2.10.html

Beta releases are NOT considered stable and usually contain bugs.

This release is intended to solicit widespread testing of the code. We
strongly recommend that you try out your existing applications and
experiment with new features in a non-production environment using
this version and report any problems you may encounter so that they
can be addressed before the final release.

Preferred method of reporting problems is the mod_python user list
mod_python@....

Mod_python 3.3.0b is available for download from:

http://httpd.apache.org/modules/python-download.cgi

For more information about mod_python visit http://www.modpython.org/

Regards,

The Apache mod_python team.

[Announce] New (relocated) modules-dev@httpd.apache.org list

2006-09-08T02:43:41Z

Following a vote on dev@..., and with input from the project
participants on the apache-modules@... Authors' discussion list,
the httpd project is pleased to announce the creation of a new modules-dev
list at httpd.apache.org. Current subscribers to the apache-modules list
will not be automatically moved, but are encouraged to subscribe themselves.

This mailing list is for people who are actually involved in writing third-party
or private modules for the Apache HTTP server. It is a peer support list for
programmers to discuss issues surrounding the development of web server modules
using the Apache HTTP Server module and APR APIs.

This community was historically hosted at apache-modules@..., and those
posts are still archived on MARC, should continue to be available for perusing.

Details are available here;

http://httpd.apache.org/lists.html#modules-dev

and you can subscribe immediately by sending a blank email to;

modules-dev-subscribe@...

The prior apache-modules list will be closed in three days time, and we hope
to see all of the current participants at modules-dev!

[ANNOUNCE] libapreq2-2.08 Released

2006-08-09T18:21:49Z

libapreq2-2.08 Released

The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.08 release of libapreq2. This
Announcement notes significant changes introduced by this release.

libapreq2-2.08 is released under the Apache License
version 2.0. It is now available through the ASF mirrors

http://httpd.apache.org/apreq/download.cgi

and has entered the CPAN as

file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.08.tar.gz
size: 847527 bytes
md5: 9fb3deec448f74c455d4ffc13846ea9f

libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data. This package provides

1) version 2.6.0 of the libapreq2 library,

2) mod_apreq2, a filter module necessary for using libapreq2
within the Apache HTTP Server,

3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
perl modules for using libapreq2 with mod_perl2.

========================================================================

Changes with libapreq2-2.08 (released August 8, 2006)

- Perl API [Randy Kobes]
add APR_FILE_NOCLEANUP | APR_SHARELOCK to flags passed to
apreq_file_mktemp() on Win32 in library/util.c, in order to
clean up occasional stray temp files left behind in the
Perl upload test (reported by Steve Hay)

- Build [Philip M. Gollucci, Bojan Smojver, joes]
add -fno-strict-aliasing to all compiles on all systems
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=193740
This fixes an infinite look split_on_bdry() of library/parser_multipart.c
particularly on linux/gcc 4.x platforms.

- Perl Glue
Fix "value computed not used" gcc 4.1.x compile errors

- Build [Randy Kobes]
Fix the location of apxs and the names of the apr and aprutil
libraries on Win32 to enable building against Apache/2.2.

- Perl Glue docs [Philip M. Gollucci]
Fix the 'docs_install' make target to actually install
the docs for the perl glue.

- Perl Glue Build [Philip M. Gollucci]
Regenerate glue/perl/xsbuilder/ppport.h to fix perl 5.8.8+ on some
plaforms.

- C API [joes]
Add code for apreq_cookies().

- Perl API [joes]
Expose the constants in apreq_error.h via the APR::Request::Error package.

ANNOUNCE: Mod_python 3.2.10

2006-08-07T10:35:35Z

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the 3.2.10 release of mod_python. Mod_python
3.2.10 is considered a stable release, suitable for production use.

Mod_python is an Apache HTTP Server module that embeds the Python
language interpreter within the server. With mod_python you can write
web-based applications in Python that will run many times faster than
traditional CGI and will have access to advanced features such as
ability to maintain objects between requests, access to httpd
internals, content filters and connection handlers.

The 3.2.10 release has many new features, feature enhancements, fixed
bugs and other improvements over the previous version. 3.2.10 now
works with Apache HTTP Server 2.2. See Appendix A of mod_python
documentation for a complete list.

Mod_python 3.2.10 is released under Apache License version 2.0.

Mod_python 3.2.10 is available for download from:

http://httpd.apache.org/modules/python-download.cgi

More information about mod_python is available at:

http://httpd.apache.org/modules/

Many thanks to Jim Gallacher, Graham Dumpleton, Nicolas Lehuen and
everyone else who contributed to and helped test this release, without
your help it would not be possible!

Regards,

Grisha Trubetskoy

[Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released

2006-07-28T08:44:41Z

Apache HTTP Server 2.2.3 Released

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.2.3 of the Apache HTTP Server
("Apache").

This version of Apache is principally a bug and security fix release. The
following potential security flaws are addressed;

CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
and 2.2 since 2.2.0.

Depending on the manner in which Apache HTTP Server was compiled, this
software defect may result in a vulnerability which, in combination with
certain types of Rewrite rules in the web server configuration files,
could be triggered remotely. For vulnerable builds, the nature of the
vulnerability can be denial of service (crashing of web server processes)
or potentially allow arbitrary code execution. This issue has been rated
as having important security impact by the Apache HTTP Server Security
Team.

This flaw does not affect a default installation of Apache HTTP Server.
Users who do not use, or have not enabled, the Rewrite module mod_rewrite
are not affected by this issue. This issue only affects installations
using a Rewrite rule with the following characteristics:

* The RewriteRule allows the attacker to control the initial part of the
rewritten URL (for example if the substitution URL starts with $1)
* The RewriteRule flags do NOT include any of the following flags:
Forbidden (F), Gone (G), or NoEscape (NE).

Please note that ability to exploit this issue is dependent on the stack
layout for a particular compiled version of mod_rewrite. If the compiler
used to compile Apache HTTP Server has added padding to the stack
immediately after the buffer being overwritten, it will not be possible to
exploit this issue, and Apache HTTP Server will continue operating
normally.

The Apache HTTP Server project recommends that all users who have built
Apache from source apply the patch or upgrade to the latest level and
rebuild. Providers of Apache-based web servers in pre-compiled form will
be able to determine if this vulnerability applies to their builds. That
determination has no bearing on any other builds of Apache HTTP Server,
and Apache HTTP Server users are urged to exercise caution and apply
patches or upgrade unless they have specific instructions from the
provider of their web server. Statements from vendors can be obtained from
the US-CERT vulnerability note for this issue at:

http://www.kb.cert.org/vuls/id/395412

The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for
the responsible reporting of this vulnerability.

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.3 is available for download from:

http://httpd.apache.org/download.cgi

Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features introduced
since 2.0 please see:

http://httpd.apache.org/docs/2.2/new_features_2_2.html

Please see the CHANGES_2.2 file, linked from the download page, for a full
list of changes.

Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available
with this security fix. See the appropriate CHANGES from the url above.
The Apache HTTP Project developers strongly encourage all users to
migrate to Apache 2.2, as only limited maintenance is performed on these
legacy versions.

This release includes the Apache Portable Runtime (APR) version 1.2.7
bundled with the tar and zip distributions. The APR libraries libapr,
libaprutil, and (on Win32) libapriconv must all be updated to ensure
binary compatibility and address many known platform bugs.

This release builds on and extends the Apache 2.0 API. Modules written for
Apache 2.0 will need to be recompiled in order to run with Apache 2.2, but
no substantial reworking should be necessary.

http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs, you must
ensure that any modules you will be using (and the libraries they depend
on) are thread-safe.

Apache HTTP Server 2.2.2 Released

2006-04-30T21:07:55Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apache HTTP Server 2.2.2 Released

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.2.2 of the Apache HTTP
Server ("Apache").

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.2 is available for download from:

http://httpd.apache.org/download.cgi

Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features introduced
since 2.0 please see:

http://httpd.apache.org/docs/2.2/new_features_2_2.html

Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes.

Apache HTTP Server 1.3.35 and 2.0.58 legacy releases are also available
with minor bugfixes. See the appropriate CHANGES from the url above.
The Apache HTTP Project developers strongly encourages all users to
migrate to Apache 2.2, as only limited maintenance is performed on these
legacy versions.

This release includes the Apache Portable Runtime (APR) version 1.2.7
bundled with the tar and zip distributions. The APR libraries libapr,
libaprutil, and (on Win32) libapriconv must all be updated to ensure
binary compatibility and address many known platform bugs.

This release has been through extensive testing, including live at some
of the world's busiest sites, and is now considered stable. This means
that modules and applications developed for Apache 2.2.2 will be both
source- and binary-compatible with future 2.2.x releases. This release
builds on and extends the Apache 2.0 API. Modules written for Apache 2.0
will need to be recompiled in order to run with Apache 2.2, but no
substantial reworking should be necessary.

http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs, you must
ensure that any modules you will be using (and the libraries they depend
on) are thread-safe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEVXuL94h19kJyHwARAs2CAKCgwF8T26CZvUCPi6a/s3RYTLOZTACgrpvT
efdn65X28irQWi9UaQ9VmQg=
=8g+7
-----END PGP SIGNATURE-----

[ANNOUNCE] Mod_python 3.2.8 (security)

2006-02-24T07:16:21Z

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 3.2.8 of mod_python.

This release addresses a vulnerability in mod_python's FileSession
object whereby a carefully crafted session cookie could potentially
permit an attacker to execute code on the server.

FileSession was introduced in mod_python 3.2.7 released on February 15
2006 and is not enabled by default, therefore only a very small number
of installations, if any, are likely to be affected by this issue.

There are no other changes or improvements from the previous version in
this release.

Mod_python is available for download from:

http://httpd.apache.org/modules/python-download.cgi

For more information about mod_python visit http://www.modpython.org/

Regards,

Gregory Trubetskoy

ANNOUNCE: Mod_python 3.2.7

2006-02-13T07:51:32Z

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the 3.2.7 release of mod_python. Mod_python 3.2.7
is considered a stable release, suitable for production use.

Mod_python is an Apache HTTP Server module that embeds the Python
language interpreter within the server. With mod_python you can write
web-based applications in Python that will run many times faster than
traditional CGI and will have access to advanced features such as
ability to maintain objects between requests, access to httpd
internals, content filters and connection handlers.

The 3.2.7 release has many new features, feature enhancements, fixed
bugs and other improvements over the previous version. See Appendix A
of mod_python documentation for more details.

Mod_python 3.2.7 is released under Apache License version 2.0.

Mod_python 3.2.7 is available for download from:

http://httpd.apache.org/modules/python-download.cgi

More information about mod_python is available at:

http://httpd.apache.org/modules/

Many thanks to Jim Gallacher, Graham Dumpleton, Nicolas Lehuen and
everyone else who contributed to and helped test this release, without
your help it would not be possible!

Regards,

Grisha Trubetskoy

[ANNOUNCE] libapreq2-2.07 Released

2006-02-12T11:52:38Z

libapreq2-2.07 Released

The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.07 release of libapreq2. This
Announcement notes significant changes introduced by this release.

libapreq2-2.07 is released under the Apache License
version 2.0. It is now available through the ASF mirrors

http://httpd.apache.org/apreq/download.cgi

and has entered the CPAN as

file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.07.tar.gz
size: 787249 bytes
md5: 6f2e5e4a14e8b190dead0fe91fc13080

libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data. This package provides

1) version 2.5.7 of the libapreq2 library,

2) mod_apreq2, a filter module necessary for using libapreq2
within the Apache HTTP Server,

3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
perl modules for using libapreq2 with mod_perl2.

This release contains an important security bugfix which impacts all
previous developer releases of libapreq2. The Common Vulnerabilities
and Exposures project assigned the name CVE-2006-0042 to this issue.

========================================================================

Changes with libapreq2-2.07 (released February 12, 2006)

- C API [joes]
SECURITY: CVE-2006-0042 (cve.mitre.org)
Eliminate potential quadratic behavior in apreq_parse_headers() and
apreq_parse_urlencoded().

- Perl API [Philip M. Gollucci]
Fix Apache2::Cookie->cookies() to comply with its documentation

- C API [Philip M. Gollucci]
Use the APREQ_DEFAULT_READ_LIMIT constant for the read_limit

- C API [Ville Skyttä, Dirk Nehring]
Add explicit cast in apreq_escape()/apreq_util.h to keep
C++ compilers happy.

- C API [joes]
Protect against arbitrary recursion depth in apreq_parse_multipart()
by adding a reasonable compile-time MAX_LEVEL limit.

- C API [joes]
Clean up end-of-file parsing for apreq_parse_multipart(),
conforming to rfc-2046 § 5.1.1.

- Perl API [joes]
Move APR::Request::Param::Table and APR::Request::Cookie::Table
packages to APR::Request module.

- Perl XS [Steve Hay]
Fix compile problems on Win32 without PERL_IMPLICIT_SYS
related to link being an unresolved symbol.

- Perl API [joes]
APR::Request::Cookie::thaw() isn't a class method.

- C API [joes]
Fix off-by-one bug in the continuation-lines portion of the
header parser.

- Perl API [joes]
Move APR::Request::upload to APR::Request, where it belongs.

- Perl XS [Nikolay Ananiev]
Use MP_STATIC declarations to allow Cygwin builds.

- Perl API [joes]
encode()/decode() were busted with zero-length args. This caused
Apache2::Cookie::new() to segfault on cookie value of "".

- C API [joes]
Add apreq_charset_divine() and eliminate charset offset from return
value of apreq_decode(v).

- C API [joes]
Improve the cp1252-charset heuristics for apreq_decode(v).

- C API [Ralph Mattes]
Add explicit casts for apreq_param_charset_* to keep c++ compilers happy.

Apache HTTP Server 2.2.0 Released

2005-12-01T13:51:50Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apache HTTP Server 2.2.0 Released

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.2.0 of the Apache HTTP
Server ("Apache").

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.0 is available for download from:

http://httpd.apache.org/download.cgi

Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:

http://httpd.apache.org/docs/2.2/new_features_2_2.html

Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes.

This release includes the Apache Portable Runtime (APR) version 1.2.2
bundled with the tar and zip distributions. The APR libraries libapr,
libaprutil, and (on Win32) libapriconv must all be updated to ensure
binary compatibility and address many known platform bugs.

This release has been through extensive testing, including live at some
of the world's busiest sites, and is now considered stable. This means
that modules and applications developed for Apache 2.2.0 will be both
source- and binary-compatible with future 2.2.x releases. This release
builds on and extends the Apache 2.0 API. Modules written for Apache 2.0
will need to be recompiled in order to run with Apache 2.2, but no
substantial reworking should be necessary.

http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

Known Issues

Some non-showstopping issues were found during the 2.2.0 release
and testing cycle:

* mod_dbd and mod_authn_dbd are absent from the Windows build
environment. A patch to correct this is available from:

http://www.apache.org/dist/httpd/patches/apply_to_2.2.0/

* If you are installing on a system with apr/apr-util 1.0 or 1.1
installed, you must build apr/apr-util 1.2 manually. See:

http://httpd.apache.org/docs/2.2/install.html#requirements

When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs, you must
ensure that any modules you will be using (and the libraries they depend
on) are thread-safe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFDj3B294h19kJyHwARAicXAJ43lkdWgtc2npdw14jUeTLO4rSjBwCfRtpu
q3JYhuNhnUBjLq98iSiRelU=
=MBbs
-----END PGP SIGNATURE-----

ANNOUNCE: Mod_python 3.2.5 Beta

2005-11-23T07:30:23Z

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the 3.2.5 Beta release mod_python.

Version 3.2.5b of mod_python features several new functions and attributes
providing better access to apache internals, file-based sessions and other
session improvements, as well as many bug fixes and various performance
and security improvements. A detailed description of the changes is
available in Appendix A of the mod_python manual, also available here:

http://www.modpython.org/live/mod_python-3.2.5b/doc-html/node97.html

Beta releases are NOT considered stable and usually contain bugs.

This release is intended to solicit widespread testing of the code. We
strongly recommend that you try out your existing applications and
experiment with new features in a non-production environment using this
version and report any problems you may encounter so that they can be
addressed before the final release.

Preferred method of reporting problems is the mod_python user list
mod_python@....

Mod_python 3.2.5b is available for download from:

http://httpd.apache.org/modules/python-download.cgi

For more information about mod_python visit http://www.modpython.org/

Regards,

Grisha Trubetskoy and the Apache mod_python team.

Apache HTTP Server 2.1.9-beta Released

2005-11-06T18:42:19Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apache HTTP Server 2.1.9-beta Released

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.1.9-beta of the Apache HTTP
Server ("Apache"). This beta release should not be presumed to be
compatible with binaries built against any prior or future version.

Apache HTTP Server 2.1.9-beta is available for download from:

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.1 file, linked from the above page, for a full
list of changes.

Apache 2.1 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced after 2.0 please see:

http://httpd.apache.org/docs/2.1/new_features_2_2.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFDbr8K94h19kJyHwARAmxAAJ9yByudA8ZXAo3KhSoGMhjnBHEUsACeOV2k
I6rE0FevgkBLhqVD6s6L8MM=
=1Opn
-----END PGP SIGNATURE-----

[ANNOUNCEMENT] Apache HTTP Server 1.3.34 Released

2005-10-18T11:50:16Z

Apache HTTP Server 1.3.34 Released

The Apache Software Foundation and The Apache HTTP Server Project
are
pleased to announce the release of version 1.3.34 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
in 1.3.34 as compared to 1.3.33. This Announcement1.3 document may
also be available in multiple languages at:

http://www.apache.org/dist/httpd/

This version of Apache is principally a bug and security fix
release.
A partial summary of the bug fixes is given at the end of this
document.
A full listing of changes can be found in the CHANGES file. Of
particular note is that 1.3.34 addresses and fixes 2 potential
security issues:

o If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating
some
HTTP Request Splitting/Spoofing attacks.

o Added TraceEnable [on|off|extended] per-server directive to
alter
the behavior of the TRACE method.

We consider Apache 1.3.34 to be the best version of Apache 1.3
available
and we strongly recommend that users of older versions,
especially of
the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
releases will be made in the 1.2.x family.

Apache 1.3.34 is available for download from:

http://httpd.apache.org/download.cgi

This service utilizes the network of mirrors listed at:

http://www.apache.org/mirrors/

Please consult the CHANGES_1.3 file for a full list of changes.

As of Apache 1.3.12 binary distributions contain all standard Apache
modules as shared objects (if supported by the platform) and include
full source code. Installation is easily done by executing the
included install script. See the README.bindist and INSTALL.bindist
files for a complete explanation. Please note that the binary
distributions are only provided for your convenience and current
distributions for specific platforms are not always available.
Win32
binary distributions are based on the Microsoft Installer (.MSI)
technology. While development continues to make this
installation method
more robust, questions should be directed to the
news:comp.infosystems.www.servers.ms-windows newsgroup.

For an overview of new features introduced after 1.2 please see

http://httpd.apache.org/docs/new_features_1_3.html

In general, Apache 1.3 offers several substantial improvements over
version 1.2, including better performance, reliability and a wider
range of supported platforms, including Windows NT and 2000 (which
fall under the "Win32" label), OS2, Netware, and TPF threaded
platforms.

Apache is the most popular web server in the known universe; over
half
of the servers on the Internet are running Apache or one of its
variants.

IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for
Unix OS
variants. While the ports to non-Unix platforms (such as Win32,
Netware
or OS2) are of an acceptable quality, Apache 1.3 is not optimized
for
these platforms. Security, stability, or performance issues on
these
non-Unix ports do not generally apply to the Unix version, due to
software's Unix origin.

Apache 2.0 has been structured for multiple operating systems
from its
inception, by introducing the Apache Portability Library and MPM
modules.
Users on Unix and non-Unix platforms are strongly encouraged to
move up to
Apache 2.0 for better performance, stability and security on their
platforms. We consider Apache 2.0.55 to be the best available
version at
the time of this release. We offer Apache 1.3.34 as the best legacy
version of Apache 1.3 available, and strongly recommend that
users who
require compatibility with existing Apache 1.3 installations should
upgrade as soon as possible. Users should first consider
upgrading to
the current release of Apache 2 instead.

Apache 1.3.34 Major changes

Security vulnerabilities

* SECURITY: core: If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating
some
HTTP Request Splitting/Spoofing attacks. This has no impact on
mod_proxy_http, yet affects any module which supports chunked
encoding yet fails to prefer T-E: chunked over the Content-
Length
purported value.

* Added TraceEnable [on|off|extended] per-server directive to
alter
the behavior of the TRACE method. This addresses a flaw in
proxy
conformance to RFC 2616 - previously the proxy server would
accept
a TRACE request body although the RFC prohibited it. The
default
remains 'TraceEnable on'.

New features

New features that relate to specific platforms:

* None

New features that relate to all platforms:

* None

Bugs fixed

The following noteworthy bugs were found in Apache 1.3.33 (or
earlier)
and have been fixed in Apache 1.3.34:

* hsregex: fix potential core dumping on 64 bit machines, such as
AMD64. PR 31858.
* mod_digest: Fix another nonce string calculation issue.

Apache HTTP Server 2.0.55 Released

2005-10-14T11:48:38Z

Apache HTTP Server 2.0.55 Released

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.0.55 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
in 2.0.55 as compared to 2.0.55. This Announcement2.0 document may
also be available in multiple langages at:

http://www.apache.org/dist/httpd/

This version of Apache is principally a security release. The
following potential security flaws are addressed, the first three
of which address several classes of HTTP Request and Response
Splitting/Spoofing attacks;

CAN-2005-2088 (cve.mitre.org)

core: If a request contains both Transfer-Encoding and Content-Length
headers, remove the Content-Length.

proxy_http: Correctly handle the Transfer-Encoding and Content-Length
request headers. Discard the request Content-Length whenever chunked
T-E is used, always passing one of either C-L or T-E chunked whenever
the request includes a request body.

Unassigned

proxy_http: If a response contains both Transfer-Encoding and a
Content-Length, remove the Content-Length and don't reuse the
connection.

CAN-2005-2700 (cve.mitre.org)

mod_ssl: Fix a security issue where "SSLVerifyClient" was not
enforced in per-location context if "SSLVerifyClient optional"
was configured in the vhost configuration.

CAN-2005-2491 (cve.mitre.org)

pcre: Fix integer overflows in PCRE in quantifier parsing which
could be triggered by a local user through use of a carefully
crafted regex in an .htaccess file.

CAN-2005-2728 (cve.mitre.org)

Fix cases where the byterange filter would buffer responses
into memory.

CAN-2005-1268 (cve.mitre.org)

mod_ssl: Fix off-by-one overflow whilst printing CRL information
at "LogLevel debug" which could be triggered if configured
to use a "malicious" CRL.

The Apache HTTP Project thanks all of the reporters of these
issues and vulnerabilities for the responsible reporting and
thorough analysis of these vulnerabilities.

This release further addresses a number of cross-platform bugs,
as well as specific issues on OS/X 10.4, Win32, AIX as well as
all EBCDIC platforms, and adds compatibility with OpenSSL 0.9.8.

This release is compatible with modules compiled for 2.0.42 and
later versions. We consider this release to be the best version
of Apache available and encourage users of all prior versions to
upgrade.

This release includes the Apache Portable Runtime library suite
release version 0.9.7, bundled with the tar and zip distributions.
These libraries; libapr, libaprutil, and on Win32, libapriconv must
all be updated to ensure binary compatibility and address many
known platform bugs.

Apache HTTP Server 2.0.55 is available for download from

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes. A condensed list, CHANGES_2.0.55 provides
the complete list of changes since 2.0.54, including changes to
the APR suite of libraries.

Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see

http://httpd.apache.org/docs/2.0/new_features_2_0.html

When upgrading or installing this version of Apache, please keep
in mind the following: If you intend to use Apache with one of the
threaded MPMs, you must ensure that the modules (and the libraries
they depend on) that you will be using are thread-safe. Please
refer to the documentation of these modules and libraries to obtain
this information.

Apache HTTP Server 2.1.8-beta Released

2005-10-01T18:08:49Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apache HTTP Server 2.1.8-beta Released

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.1.8-beta of the Apache HTTP
Server ("Apache"). This beta release should not be presumed to be
compatible with binaries built against any prior or future version.

Apache HTTP Server 2.1.8-beta is available for download from:

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.1 file, linked from the above page, for a full
list of changes.

Apache 2.1 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced after 2.0 please see:

http://httpd.apache.org/docs/2.1/new_features_2_2.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFDPyUR94h19kJyHwARAqKLAJ4qFrkxcuAmV64os/c4QYCj4XnjsACfb5pi
t4E6gCh6JN1wELjrS08I9cw=
=wDL/
-----END PGP SIGNATURE-----

ANNOUNCE: Mod_python 3.2.2 Beta

2005-09-19T19:55:04Z

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the 3.2.2 Beta release mod_python.

Version 3.2.2b of mod_python features several new functions and attributes
providing better access to apache internals, file-based sessions and other
session improvements, as well as many bug fixes and various performance
and security improvements. A detailed description of the changes is
available in Appendix A of the mod_python manual, also available here:

http://www.modpython.org/live/mod_python-3.2.2b/doc-html/node97.html

Beta releases are NOT considered stable and usually contain bugs.

This release is intended to solicit widespread testing of the code. We
strongly recommend that you try out your existing applications and
experiment with new features in a non-production environment using this
version and report any problems you may encounter so that they can be
addressed before the final release.

Preferred method of reporting problems is the mod_python user list
mod_python@....

Mod_python 3.2.2b is available for download from:

http://httpd.apache.org/modules/python-download.cgi

For more information about mod_python visit http://www.modpython.org/

Regards,

Grisha Trubetskoy and the Apache mod_python team.

Apache HTTP Server 2.1.7-beta Released

2005-09-12T09:53:52Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apache HTTP Server 2.1.7-beta Released

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.1.7-beta of the Apache
HTTP Server ("Apache"). This beta release should not be presumed to
be compatible with binaries built against any prior or future version.

Apache HTTP Server 2.1.7-beta is available for download from:

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.1 file, linked from the above page, for a full
list of changes.

Known Issues
Several non-show-stopping issues were found during the 2.1.7-beta
release cycle:

* mod_setvenfif was missing updated documentation
* server/listen.c had problems working on AIX
* The RPM spec file was outdated.
* htcacheclean lacked support for recent changes to mod_disk_cache

A patch that fixes these issues ia available at:

http://www.apache.org/dist/httpd/patches/apply_to_2.1.7/non-showstoppers.patch

In addition, mod_ldap in 2.1.7-beta does not compile on older version of
Windows.

Apache 2.1 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced after 2.0 please see:

http://httpd.apache.org/docs-2.1/new_features_2_2.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFDJaSQ94h19kJyHwARAvuKAJ41Ky2W641fayJyUwvqM/PgwxVXpgCg0XMP
keDuo+Y1avdD4i1mqufPXvU=
=PXBH
-----END PGP SIGNATURE-----