On Thu, Aug 30, 2007 at 08:31:21AM -0400, Jim Jagielski wrote:
Since a few regressions and other issues popped up the
last go around, I cancelled release of 1.3.38, 2.0.60 and
2.2.5... I think we are close, *very* close to being at
the point to try this all again.
Can we move the SECURITY stuff back up to the top and remove the
2.2.5
heading - it would just be confusing to users since 2.2.5 doen't
really
exist? i.e. below, which adds the CVE name for the autoindex issue
too.
Index: CHANGES
===================================================================
--- CHANGES (revision 571136)
+++ CHANGES (working copy)
@@ -1,11 +1,37 @@
-*-
coding: utf-8 -*-
Changes with Apache 2.2.6
- *) mod_autoindex: Add in Type and Charset options to IndexOptions
+ *) SECURITY: CVE-2007-4465 (cve.mitre.org)
+ mod_autoindex: Add in Type and Charset options to IndexOptions
directive. This allows the admin to explicitly set the
content-type and charset of the generated page.
[Jim Jagielski]
+ *) SECURITY: CVE-2007-3847 (cve.mitre.org)
+ mod_proxy: Prevent reading past the end of a buffer when
parsing
+ date-related headers. PR 41144.
+ [Davi Arnaut, Nick Kew]
+
+ *) SECURITY: CVE-2007-1863 (cve.mitre.org)
+ mod_cache: Prevent a segmentation fault if attributes are
listed in a
+ Cache-Control header without any value.
+ [Niklas Edmundsson <nikke acc.umu.se>]
+
+ *) SECURITY: CVE-2007-3304 (cve.mitre.org)
+ prefork, worker, event MPMs: Ensure that the parent process
cannot
+ be forced to kill processes outside its process group.
+ [Joe Orton, Jim Jagielski]
+
+ *) SECURITY: CVE-2006-5752 (cve.mitre.org)
+ mod_status: Fix a possible XSS attack against a site with a
public
+ server-status page and ExtendedStatus enabled, for browsers
which
+ perform charset "detection". Reported by Stefan Esser. [Joe
Orton]
+
+ *) SECURITY: CVE-2007-1862 (cve.mitre.org)
+ mod_mem_cache: Copy headers into longer lived storage; header
names and
+ values could previously point to cleaned up storage. PR 41551.
+ [Davi Arnaut <davi haxent.com.br>]
+
*) log core: ensure we use a special pool for stderr logging, so
that
the stderr channel remains valid from the time plog is
destroyed,
until the time the open_logs hook is called again. [William
Rowe]
@@ -70,33 +96,6 @@
improper merging of the cache lock in vhost config
PR 43164 [Eric Covener]
-Changes with Apache 2.2.5
-
- *) SECURITY: CVE-2007-3847 (cve.mitre.org)
- mod_proxy: Prevent reading past the end of a buffer when
parsing
- date-related headers. PR 41144.
- [Davi Arnaut, Nick Kew]
-
- *) SECURITY: CVE-2007-1863 (cve.mitre.org)
- mod_cache: Prevent a segmentation fault if attributes are
listed in a
- Cache-Control header without any value.
- [Niklas Edmundsson <nikke acc.umu.se>]
-
- *) SECURITY: CVE-2007-3304 (cve.mitre.org)
- prefork, worker, event MPMs: Ensure that the parent process
cannot
- be forced to kill processes outside its process group.
- [Joe Orton, Jim Jagielski]
-
- *) SECURITY: CVE-2006-5752 (cve.mitre.org)
- mod_status: Fix a possible XSS attack against a site with a
public
- server-status page and ExtendedStatus enabled, for browsers
which
- perform charset "detection". Reported by Stefan Esser. [Joe
Orton]
-
- *) SECURITY: CVE-2007-1862 (cve.mitre.org)
- mod_mem_cache: Copy headers into longer lived storage; header
names and
- values could previously point to cleaned up storage. PR 41551.
- [Davi Arnaut <davi haxent.com.br>]
-
*) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk]
*) mod_deflate: fix protocol handling in deflate input filter
