Jim, Is that EST or PST ?? Cheers, Cameron -----Original Message----- From: Jim Jagielski [mailto:[EMAIL PROTECTED] Sent: Thursday, 30 August 2007 23:02 To: [email protected] Subject: Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :)
Yes, the CHANGES file will be updated to reflect any and all security issues for that release... On Aug 30, 2007, at 8:38 AM, Joe Orton wrote: > On Thu, Aug 30, 2007 at 08:31:21AM -0400, Jim Jagielski wrote: >> Since a few regressions and other issues popped up the >> last go around, I cancelled release of 1.3.38, 2.0.60 and >> 2.2.5... I think we are close, *very* close to being at >> the point to try this all again. > > Can we move the SECURITY stuff back up to the top and remove the 2.2.5 > heading - it would just be confusing to users since 2.2.5 doen't > really > exist? i.e. below, which adds the CVE name for the autoindex issue > too. > > Index: CHANGES > =================================================================== > --- CHANGES (revision 571136) > +++ CHANGES (working copy) > @@ -1,11 +1,37 @@ > -*- > coding: utf-8 -*- > Changes with Apache 2.2.6 > > - *) mod_autoindex: Add in Type and Charset options to IndexOptions > + *) SECURITY: CVE-2007-4465 (cve.mitre.org) > + mod_autoindex: Add in Type and Charset options to IndexOptions > directive. This allows the admin to explicitly set the > content-type and charset of the generated page. > [Jim Jagielski] > > + *) SECURITY: CVE-2007-3847 (cve.mitre.org) > + mod_proxy: Prevent reading past the end of a buffer when parsing > + date-related headers. PR 41144. > + [Davi Arnaut, Nick Kew] > + > + *) SECURITY: CVE-2007-1863 (cve.mitre.org) > + mod_cache: Prevent a segmentation fault if attributes are > listed in a > + Cache-Control header without any value. > + [Niklas Edmundsson <nikke acc.umu.se>] > + > + *) SECURITY: CVE-2007-3304 (cve.mitre.org) > + prefork, worker, event MPMs: Ensure that the parent process > cannot > + be forced to kill processes outside its process group. > + [Joe Orton, Jim Jagielski] > + > + *) SECURITY: CVE-2006-5752 (cve.mitre.org) > + mod_status: Fix a possible XSS attack against a site with a > public > + server-status page and ExtendedStatus enabled, for browsers > which > + perform charset "detection". Reported by Stefan Esser. [Joe > Orton] > + > + *) SECURITY: CVE-2007-1862 (cve.mitre.org) > + mod_mem_cache: Copy headers into longer lived storage; header > names and > + values could previously point to cleaned up storage. PR 41551. > + [Davi Arnaut <davi haxent.com.br>] > + > *) log core: ensure we use a special pool for stderr logging, so > that > the stderr channel remains valid from the time plog is > destroyed, > until the time the open_logs hook is called again. [William > Rowe] > @@ -70,33 +96,6 @@ > improper merging of the cache lock in vhost config > PR 43164 [Eric Covener] > > -Changes with Apache 2.2.5 > - > - *) SECURITY: CVE-2007-3847 (cve.mitre.org) > - mod_proxy: Prevent reading past the end of a buffer when parsing > - date-related headers. PR 41144. > - [Davi Arnaut, Nick Kew] > - > - *) SECURITY: CVE-2007-1863 (cve.mitre.org) > - mod_cache: Prevent a segmentation fault if attributes are > listed in a > - Cache-Control header without any value. > - [Niklas Edmundsson <nikke acc.umu.se>] > - > - *) SECURITY: CVE-2007-3304 (cve.mitre.org) > - prefork, worker, event MPMs: Ensure that the parent process > cannot > - be forced to kill processes outside its process group. > - [Joe Orton, Jim Jagielski] > - > - *) SECURITY: CVE-2006-5752 (cve.mitre.org) > - mod_status: Fix a possible XSS attack against a site with a > public > - server-status page and ExtendedStatus enabled, for browsers > which > - perform charset "detection". Reported by Stefan Esser. [Joe > Orton] > - > - *) SECURITY: CVE-2007-1862 (cve.mitre.org) > - mod_mem_cache: Copy headers into longer lived storage; header > names and > - values could previously point to cleaned up storage. PR 41551. > - [Davi Arnaut <davi haxent.com.br>] > - > *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] > > *) mod_deflate: fix protocol handling in deflate input filter >
