Thanks Jim. Allows me to do the correct maths. I'm in Australia (East Coast). Cheers, Cameron
-----Original Message----- From: Jim Jagielski [mailto:[EMAIL PROTECTED] Sent: Friday, 31 August 2007 00:13 To: dev@httpd.apache.org Subject: Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :) Well... I'm east coast :) On Aug 30, 2007, at 9:48 AM, Cameron J. Young ((Personal)) wrote: > Jim, > Is that EST or PST ?? > Cheers, > Cameron > > -----Original Message----- > From: Jim Jagielski [mailto:[EMAIL PROTECTED] > Sent: Thursday, 30 August 2007 23:02 > To: dev@httpd.apache.org > Subject: Re: Guess what? Time for 1.3.39, 2.0.61 and 2.2.6 :) > > Yes, the CHANGES file will be updated to reflect any > and all security issues for that release... > > On Aug 30, 2007, at 8:38 AM, Joe Orton wrote: > >> On Thu, Aug 30, 2007 at 08:31:21AM -0400, Jim Jagielski wrote: >>> Since a few regressions and other issues popped up the >>> last go around, I cancelled release of 1.3.38, 2.0.60 and >>> 2.2.5... I think we are close, *very* close to being at >>> the point to try this all again. >> >> Can we move the SECURITY stuff back up to the top and remove the >> 2.2.5 >> heading - it would just be confusing to users since 2.2.5 doen't >> really >> exist? i.e. below, which adds the CVE name for the autoindex issue >> too. >> >> Index: CHANGES >> =================================================================== >> --- CHANGES (revision 571136) >> +++ CHANGES (working copy) >> @@ -1,11 +1,37 @@ >> -*- >> coding: utf-8 -*- >> Changes with Apache 2.2.6 >> >> - *) mod_autoindex: Add in Type and Charset options to IndexOptions >> + *) SECURITY: CVE-2007-4465 (cve.mitre.org) >> + mod_autoindex: Add in Type and Charset options to IndexOptions >> directive. This allows the admin to explicitly set the >> content-type and charset of the generated page. >> [Jim Jagielski] >> >> + *) SECURITY: CVE-2007-3847 (cve.mitre.org) >> + mod_proxy: Prevent reading past the end of a buffer when >> parsing >> + date-related headers. PR 41144. >> + [Davi Arnaut, Nick Kew] >> + >> + *) SECURITY: CVE-2007-1863 (cve.mitre.org) >> + mod_cache: Prevent a segmentation fault if attributes are >> listed in a >> + Cache-Control header without any value. >> + [Niklas Edmundsson <nikke acc.umu.se>] >> + >> + *) SECURITY: CVE-2007-3304 (cve.mitre.org) >> + prefork, worker, event MPMs: Ensure that the parent process >> cannot >> + be forced to kill processes outside its process group. >> + [Joe Orton, Jim Jagielski] >> + >> + *) SECURITY: CVE-2006-5752 (cve.mitre.org) >> + mod_status: Fix a possible XSS attack against a site with a >> public >> + server-status page and ExtendedStatus enabled, for browsers >> which >> + perform charset "detection". Reported by Stefan Esser. [Joe >> Orton] >> + >> + *) SECURITY: CVE-2007-1862 (cve.mitre.org) >> + mod_mem_cache: Copy headers into longer lived storage; header >> names and >> + values could previously point to cleaned up storage. PR 41551. >> + [Davi Arnaut <davi haxent.com.br>] >> + >> *) log core: ensure we use a special pool for stderr logging, so >> that >> the stderr channel remains valid from the time plog is >> destroyed, >> until the time the open_logs hook is called again. [William >> Rowe] >> @@ -70,33 +96,6 @@ >> improper merging of the cache lock in vhost config >> PR 43164 [Eric Covener] >> >> -Changes with Apache 2.2.5 >> - >> - *) SECURITY: CVE-2007-3847 (cve.mitre.org) >> - mod_proxy: Prevent reading past the end of a buffer when >> parsing >> - date-related headers. PR 41144. >> - [Davi Arnaut, Nick Kew] >> - >> - *) SECURITY: CVE-2007-1863 (cve.mitre.org) >> - mod_cache: Prevent a segmentation fault if attributes are >> listed in a >> - Cache-Control header without any value. >> - [Niklas Edmundsson <nikke acc.umu.se>] >> - >> - *) SECURITY: CVE-2007-3304 (cve.mitre.org) >> - prefork, worker, event MPMs: Ensure that the parent process >> cannot >> - be forced to kill processes outside its process group. >> - [Joe Orton, Jim Jagielski] >> - >> - *) SECURITY: CVE-2006-5752 (cve.mitre.org) >> - mod_status: Fix a possible XSS attack against a site with a >> public >> - server-status page and ExtendedStatus enabled, for browsers >> which >> - perform charset "detection". Reported by Stefan Esser. [Joe >> Orton] >> - >> - *) SECURITY: CVE-2007-1862 (cve.mitre.org) >> - mod_mem_cache: Copy headers into longer lived storage; header >> names and >> - values could previously point to cleaned up storage. PR 41551. >> - [Davi Arnaut <davi haxent.com.br>] >> - >> *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] >> >> *) mod_deflate: fix protocol handling in deflate input filter >> > >