httpd-2.0.51 RELEASE tonight

Apache 2.0.51 will be released tonight on our YUM repositories. Your servers will auto-update (if it’s turned on). It’s already in our RHT90 EXPERIMENTAL YUM repository for those who want to update before the official release.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Apache Software Foundation and the The Apache HTTP Server Project
are pleased to announce the release of version 2.0.51 of the Apache
HTTP Server (“Apache”). This Announcement notes the significant
changes in 2.0.51 as compared to 2.0.50.

This version of Apache is principally a bug fix release. Of
particular note is that 2.0.51 addresses five security
vulnerabilities:

An input validation issue in IPv6 literal address parsing which
can result in a negative length parameter being passed to memcpy.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786]

A buffer overflow in configuration file parsing could allow a
local user to gain the privileges of a httpd child if the server
can be forced to parse a carefully crafted .htaccess file.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747]

A segfault in mod_ssl which can be triggered by a malicious
remote server, if proxying to SSL servers has been configured.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751]

A potential infinite loop in mod_ssl which could be triggered
given particular timing of a connection abort.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748]

A segfault in mod_dav_fs which can be remotely triggered by an
indirect lock refresh request.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809]

The Apache HTTP Server Project would like to thank Codenomicon for
supplying copies of their “HTTP Test Tool” used to discover
CAN-2004-0786, and to SITIC for reporting the discovery of
CAN-2004-0747.

This release is compatible with modules compiled for 2.0.42 and
later versions. We consider this release to be the best version of
Apache available and encourage users of all prior versions to
upgrade.

Apache HTTP Server 2.0.51 is available for download from

http://httpd.apache.org/download.cgi?update=200409150645

Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.

Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see

http://httpd.apache.org/docs-2.0/new_features_2_0.html

When upgrading or installing this version of Apache, please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBSIdJZjW2wN6IXdMRAqbGAJsFz8XbVkQvpmreh8sHE3DeACXUKwCeJkpF
gxDK5D1j00qUCzksg872i1c=
=ghiQ
-----END PGP SIGNATURE-----


To unsubscribe, e-mail: announce-unsubscribe@httpd.apache.org
For additional commands, e-mail: announce-help@httpd.apache.org