[ANNOUNCEMENT] Apache HTTP Server 2.4.2 Released

          Apache HTTP Server 2.4.2 Released

The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.2 of the Apache
HTTP Server ("Apache").  This version of Apache is our 2nd GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This version of Apache is
principally a security and bug fix release, including the following
security fix:

*) SECURITY: CVE-2012-0883 (cve.mitre.org)
  envvars: Fix insecure handling of LD_LIBRARY_PATH that could
  lead to the current working directory to be searched for DSOs.

Apache HTTP Server 2.4.2 is available for download from:

http://httpd.apache.org/download.cgi

Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase.  For an overview of new features
introduced since 2.4 please see:

http://httpd.apache.org/docs/trunk/new_features_2_4.html

Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.2 includes only
those changes introduced since the prior 2.4 release.  A summary of all 
of the security vulnerabilities addressed in this and earlier releases 
is available:

[ANNOUNCEMENT] Apache HTTP Server 2.4.1 Released

              Apache HTTP Server 2.4.1 Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the GA release of version 2.4.1 of the Apache HTTP
Server. This version of Apache HTTP Server is the first GA release of
the new 2.4.x branch.

Apache HTTP Server 2.4 provides a number of improvements and
enhancements over the 2.2 version. A listing and description of these
features is available via:

  http://httpd.apache.org/docs/2.4/new_features_2_4.html

Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes.

We consider this release to be the best version of Apache HTTP Server
available, and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.4.1 is available for download from:

  http://httpd.apache.org/download.cgi

This release requires the Apache Portable Runtime (APR) version 1.4.x
and APR-Util version 1.4.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and may require minimal source code changes.

Apache HTTP Server 2.2.22 Released

                       Apache HTTP Server 2.2.22 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.22 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a security
   and bug fix release, including the following significant security fixes:

   * SECURITY: CVE-2011-3368 (cve.mitre.org)
     Reject requests where the request-URI does not match the HTTP
     specification, preventing unexpected expansion of target URLs in
     some reverse proxy configurations.

   * SECURITY: CVE-2011-3607 (cve.mitre.org)
     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
     is enabled, could allow local users to gain privileges via a .htaccess
     file.

   * SECURITY: CVE-2011-4317 (cve.mitre.org)
     Resolve additional cases of URL rewriting with ProxyPassMatch or
     RewriteRule, where particular request-URIs could result in undesired
     backend network exposure in some configurations.

   * SECURITY: CVE-2012-0021 (cve.mitre.org)
     mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
     string is in use and a client sends a nameless, valueless cookie, causing
     a denial of service. The issue existed since version 2.2.17.

   * SECURITY: CVE-2012-0031 (cve.mitre.org)
     Fix scoreboard issue which could allow an unprivileged child process
     could cause the parent to crash at shutdown rather than terminate

Advisory: mod_proxy reverse proxy exposure (CVE-2011-3368)

Apache HTTP Server Security Advisory
====================================

Title:       mod_proxy reverse proxy exposure

CVE:         CVE-2011-3368
Date:        20111005
Product:     Apache HTTP Server
Versions:    httpd 1.3 all versions, httpd 2.x all versions

Description:
============

An exposure was reported affecting the use of Apache HTTP Server in
reverse proxy mode.  We would like to thank Context Information
Security Ltd for reporting this issue to us.

When using the RewriteRule or ProxyPassMatch directives to configure a
reverse proxy using a pattern match, it is possible to inadvertently
expose internal servers to remote users who send carefully crafted
requests.  The server did not validate that the input to the pattern
match was a valid path string, so a pattern could expand to an
unintended target URL.

For future releases of the Apache HTTP Server, the software will
validate the request URI, correcting this specific vulnerability.  The
documentation has been updated to reflect the more general risks with
pattern matching in a reverse proxy configuration.

Apache HTTP Server 2.2.21 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.21 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a security
   and bug fix release:

     * SECURITY: CVE-2011-3348 (cve.mitre.org)
       mod_proxy_ajp when combined with mod_proxy_balancer: Prevents
       unrecognized HTTP methods from marking ajp: balancer members
       in an error state, avoiding denial of service.

     * SECURITY: CVE-2011-3192 (cve.mitre.org)
       core: Further fixes to the handling of byte-range requests to use
       less memory, to avoid denial of service. This patch includes fixes
       to the patch introduced in release 2.2.20 for protocol compliance,
       as well as the MaxRanges directive.

   Note the further advisories on the state of CVE-2011-3192 will no longer
   be broadcast, but will be kept up to date at;

     http://httpd.apache.org/security/CVE-2011-3192.txt

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.2.21 is available for download from:

     http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.21 provides the

Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

          Apache HTTPD Security ADVISORY
          ==============================
                    UPDATE 2

Title:       Range header DoS vulnerability Apache HTTPD 1.3/2.x

CVE:         CVE-2011-3192
Last Change: 20110826 1030Z
Date:        20110824 1600Z
Product:     Apache HTTPD Web Server
Versions:    Apache 1.3 all versions, Apache 2 all versions

Changes since last update
=========================
In addition to the 'Range' header - the 'Range-Request' header is equally
affected. Furthermore various vendor updates, improved regexes (speed and
accommodating a different and new attack pattern).

Description:
============

A denial of service vulnerability has been found in the way the multiple 
overlapping ranges are handled by the Apache HTTPD server:

     http://seclists.org/fulldisclosure/2011/Aug/175 

An attack tool is circulating in the wild. Active use of this tool has 
been observed.

Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x \(CVE-2011-3192\)

          Apache HTTPD Security ADVISORY
          ==============================

Title:    Range header DoS vulnerability Apache HTTPD 1.3/2.x

CVE:      CVE-2011-3192: 
Date:     20110824 1600Z
Product:  Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions

Description:
============

A denial of service vulnerability has been found in the way the multiple 
overlapping ranges are handled by the Apache HTTPD server:

     http://seclists.org/fulldisclosure/2011/Aug/175 

An attack tool is circulating in the wild. Active use of this tools has 
been observed.

The attack can be done remotely and with a modest number of requests can 
cause very significant memory and CPU usage on the server. 

The default Apache HTTPD installation is vulnerable.

There is currently no patch/new version of Apache HTTPD which fixes this 
vulnerability. This advisory will be updated when a long term fix 
is available. 

Apache HTTP Server 2.2.19 Released

                       Apache HTTP Server 2.2.19 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.19 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a bug fix
   release, correcting regressions in the httpd 2.2.18 package; the use
   of that previous 2.2.18 package is discouraged due to these flaws:

     * SECURITY: CVE-2011-1928 (cve.mitre.org)
       A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419
       introduced a new vulnerability.  httpd workers enter a hung state
       (100% cpu utilization) after updating to APR 1.4.4.  Upgrading to
       APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3
       or prior with the 'IgnoreClient' option of the 'IndexOptions'
       directive will circumvent both issues.

     * httpd 2.2.18: The ap_unescape_url_keep2f() function signature was
       inadvertantly changed. This breaks binary compatibility of a number
       of third-party modules.  This httpd-2.2.19 package restores the
       function signature provided by 2.2.17 and prior.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.2.19 is available for download from:

     http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.19 provides the

Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11

New releases are in progress for each of these projects and are
expected to be available in the coming days.  The upcoming httpd
2.2.19 will bundle new releases of apr and apr-util which correct
the regressions described below.  An announcement of these releases
will be broadcast.

Note: httpd 2.2.18 bundles apr 1.4.4 and apr-util 1.3.11.

Summary of regressions:

httpd 2.2.18: The ap_unescape_url_keep2f() function signature was changed.
This breaks binary compatibility of a number of third-party modules. In
addition, a regression in apr 1.4.4 (see below) could cause httpd to hang.

apr 1.4.4: A fix in apr 1.4.4 apr_fnmatch() to address CVE-2011-0419
introduced a new vulnerability.  A patch is attached and should be used
if httpd workers enter a hung state (100% cpu utilization) after updating
to httpd 2.2.18 or apr-util 1.4.4, or if hangs are seen in other apr
applications which use apr_fnmatch().

apr-util 1.3.11: A fix to LDAP support in apr-util 1.3.11 could cause
crashes with httpd's mod_authnz_ldap in some situations.

--- srclib\apr\strings\apr_fnmatch.orig	Mon May 02 23:51:24 2011
+++ srclib\apr\strings\apr_fnmatch.c	Wed May 18 13:09:52 2011
@@ -196,7 +196,10 @@
     const char *mismatch = NULL;

Apache HTTP Server 2.2.18 Released

                       Apache HTTP Server 2.2.18 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.18 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a bug fix
   release, and a security fix release of the APR 1.4.4 dependency;

     * SECURITY: CVE-2011-0419 (cve.mitre.org)
       apr_fnmatch flaw leads to mod_autoindex remote DoS
       Where mod_autoindex is enabled, and a directory indexed by
       mod_autoindex contained files with sufficiently long names,
       a carefully crafted request may cause excessive CPU usage
       Upgrading to APR 1.4.4, or setting the 'IgnoreClient' option
       of the 'IndexOptions' directive circumvents this risk.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.2.18 is available for download from:

     http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.18 provides the
   complete list of changes since 2.2.17.  A summary of all of the security
   vulnerabilities addressed in this and earlier releases is available:

     http://httpd.apache.org/security/vulnerabilities_22.html

   This release includes the Apache Portable Runtime (APR) version 1.4.4

Apache HTTP Server 2.3.11-Beta Released

                Apache HTTP Server 2.3.11-beta Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.3.11-beta of the Apache HTTP
   Server ("Apache").  This version of Apache is our initial Beta release
   of Apache httpd 2.4 to test new technology and features that are incompatible
   or too large for the stable 2.2.x branch. This Beta release should not be
   presumed to be compatible with binaries built against any prior or future
   version, although, as a Beta, the API is in a semi-frozen state.

   Apache HTTP Server 2.3.11-beta is available for download from:

     http://httpd.apache.org/download.cgi

   Apache 2.3 offers numerous enhancements, improvements, and performance
   boosts over the 2.2 codebase.  For an overview of new features
   introduced since 2.3 please see:

     http://httpd.apache.org/docs/trunk/new_features_2_4.html

   Please see the CHANGES_2.3 file, linked from the download page, for a
   full list of changes.

   This release includes the Apache Portable Runtime (APR) version 1.4.2
   and APR-Util version 1.3.10 in a separate -deps tarball.  The APR libraries
   must be upgraded for all features of httpd to operate correctly.

   This release builds on and extends the Apache 2.2 API.  Modules written
   for Apache 2.2 will need to be recompiled in order to run with Apache
   2.3, and require minimal or no source code changes.