[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [Apache HTTP Server Project: [Announcement] Apache HTTP Server 2.2.25 Released]

From: Mark Phippard <markphip_at_gmail.com>
Date: Wed, 10 Jul 2013 11:13:49 -0700

I am not seeing the release on their web site or on their announce@ list.

Also there is no mention of a 2.4.5 here?


On Wed, Jul 10, 2013 at 11:00 AM, Daniel Shahaf <danielsh_at_apache.org> wrote:
> ----- Forwarded message from Apache HTTP Server Project <wrowe_at_apache.org> -----
>> From: "Apache HTTP Server Project" <wrowe_at_apache.org>
>> Subject: [Announcement] Apache HTTP Server 2.2.25 Released
>> To: announce_at_subversion.apache.org
>> Date: Wed, 10 Jul 2013 12:51:06 -0500
>> Message-ID: <20130710125106.6a2eb0d7.wrowe_at_rowe-clan.net>
>> [Shared with subversion announce for significant mod_dav changes]
>> Apache HTTP Server 2.2.25 Released
>> The Apache Software Foundation and the Apache HTTP Server Project are
>> pleased to announce the release of version 2.2.25 of the Apache HTTP
>> Server ("Apache"). This version of Apache is principally a security
>> and bug fix legacy release, including the following security fixes:
>> * SECURITY: CVE-2013-1896 (cve.mitre.org)
>> mod_dav: Sending a MERGE request against a URI handled by
>> mod_dav_svn with the source href (sent as part of the request body
>> as XML) pointing to a URI that is not configured for DAV will
>> trigger a segfault.
>> * SECURITY: CVE-2013-1862 (cve.mitre.org)
>> mod_rewrite: Ensure that client data written to the RewriteLog is
>> escaped to prevent terminal escape sequences from entering the
>> log file.
>> The Apache HTTP Project thanks Ben Riser and Ramiro Molina for
>> bringing these issues to the attention of the project security team.
>> Errata: the build is known to fail against OpenSSL when that library
>> is built to provide no SSLv2 support whatsoever. The following patch
>> will successfully build httpd 2.2.25 against such OpenSSL
>> installations:
>> http://svn.apache.org/viewvc?view=revision&revision=1501712
>> We consider the Apache HTTP Server 2.4 release to be the best version
>> of Apache available, and encourage users of 2.2 and all prior
>> versions to upgrade. This 2.2 legacy release is offered for those
>> unable to upgrade at this time. For further details, see:
>> http://www.apache.org/dist/httpd/Announcement2.4.txt
>> Apache HTTP Server 2.4 and 2.2.25 are available for download from:
>> http://httpd.apache.org/download.cgi
>> Please see the CHANGES_2.2 file, linked from the download page, for a
>> full list of changes. A condensed list, CHANGES_2.2.25 includes only
>> those changes introduced since the prior 2.2 release. A summary of
>> all of the security vulnerabilities addressed in this and earlier
>> releases is available:
>> http://httpd.apache.org/security/vulnerabilities_22.html
>> This release includes the Apache Portable Runtime (APR) version 1.4.8
>> and APR Utility Library (APR-util) version 1.5.2, bundled with the
>> tar and zip distributions. The APR libraries libapr and libaprutil
>> (and on Win32, libapriconv version 1.2.1) must all be updated to
>> ensure binary compatibility and address many known security and
>> platform bugs. APR-util version 1.5 represents a minor version
>> upgrade from earlier httpd 2.2 source distributions.
>> This release builds on and extends the Apache 2.0 API and is
>> superceeded by the Apache 2.4 API. Modules written for Apache 2.0
>> or 2.4 will need to be recompiled in order to run with Apache 2.2,
>> and most will require minimal or no source code changes.
>> When upgrading or installing this version of Apache, please bear in
>> mind that if you intend to use Apache with one of the threaded MPMs
>> (other than the Prefork MPM), you must ensure that any modules you
>> will be using (and the libraries they depend on) are thread-safe.
> ----- End forwarded message -----

Mark Phippard
Received on 2013-07-10 20:14:24 CEST

This is an archived mail posted to the Subversion Dev mailing list.