Re: Apache HTTP Server 2.2.19 Released

>                        Apache HTTP Server 2.2.19 Released
>
>    The Apache Software Foundation and the Apache HTTP Server Project are
>    pleased to announce the release of version 2.2.19 of the Apache HTTP
>    Server ("Apache").  This version of Apache is principally a bug fix
>    release, correcting regressions in the httpd 2.2.18 package; the use
>    of that previous 2.2.18 package is discouraged due to these flaws:
>
>      * SECURITY: CVE-2011-1928 (cve.mitre.org)
>        A fix in bundled APR 1.4.4 apr_fnmatch() to address CVE-2011-0419
>        introduced a new vulnerability.  httpd workers enter a hung state
>        (100% cpu utilization) after updating to APR 1.4.4.  Upgrading to
>        APR 1.4.5 bundled with the httpd 2.2.19 package, or using APR 1.4.3
>        or prior with the 'IgnoreClient' option of the 'IndexOptions'
>        directive will circumvent both issues.
>
>      * httpd 2.2.18: The ap_unescape_url_keep2f() function signature was
>        inadvertantly changed. This breaks binary compatibility of a number
>        of third-party modules.  This httpd-2.2.19 package restores the
>        function signature provided by 2.2.17 and prior.
>
>    We consider this release to be the best version of Apache available, and
>    encourage users of all prior versions to upgrade.
>
>    Apache HTTP Server 2.2.19 is available for download from:
>
>      http://httpd.apache.org/download.cgi
>
>    Please see the CHANGES_2.2 file, linked from the download page, for a
>    full list of changes.  A condensed list, CHANGES_2.2.19 provides the
>    complete list of changes since 2.2.18.  A summary of all of the security
>    vulnerabilities addressed in this and earlier releases is available:
>
>      http://httpd.apache.org/security/vulnerabilities_22.html
>
>    This release includes the Apache Portable Runtime (APR) version 1.4.5
>    and APR Utility Library (APR-util) version 1.3.12, bundled with the tar
>    and zip distributions.  The APR libraries libapr and libaprutil (and
>    on Win32, libapriconv version 1.2.1) must all be updated to ensure
>    binary compatibility and address many known security and platform bugs.
>
>    Apache 2.2 offers numerous enhancements, improvements, and performance
>    boosts over the 2.0 codebase.  For an overview of new features
>    introduced since 2.0 please see:
>
>      http://httpd.apache.org/docs/2.2/new_features_2_2.html
>
>    This release builds on and extends the Apache 2.0 API.  Modules written
>    for Apache 2.0 will need to be recompiled in order to run with Apache
>    2.2, and require minimal or no source code changes.
>
>      http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING
>
>    When upgrading or installing this version of Apache, please bear in mind
>    that if you intend to use Apache with one of the threaded MPMs (other
>    than the Prefork MPM), you must ensure that any modules you will be
>    using (and the libraries they depend on) are thread-safe.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: [hidden email]
>    "   from the digest: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>