-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Apache HTTP Server 2.1.6-alpha Released
The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.1.6-alpha of the Apache
HTTP Server ("Apache"). This alpha release should not be presumed to
be compatible with binaries built against any prior or future version.
The 2.1.6-alpha release addresses a security vulnerability present
in all previous 2.x versions. This fault did not affect Apache 1.3.x
(which did not proxy keepalives or chunked transfer encoding);
Proxy HTTP: If a response contains both Transfer-Encoding
and a Content-Length, remove the Content-Length to eliminate
an HTTP Request Smuggling vulnerability and don't reuse the
connection, stopping some HTTP Request Spoofing attacks.
The Apache HTTP Server Project thanks the Watchfire team of Linhart,
Klein, Heled and Orrin for the responsible notification and disclosure
of this information.
Apache HTTP Server 2.1.6-alpha is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.1 file, linked from the above page, for a full
list of changes.
Apache 2.1 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced after 2.0 please see:
http://httpd.apache.org/docs-2.1/new_features_2_2.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFCwKmC94h19kJyHwARAvBgAJ9yv/vSYThPd3+BA5axX5B6eKuC2QCfUqXm
zCsd3SPiLcSnSTDE0r1844I=
=G1cX
-----END PGP SIGNATURE-----
