The expected-to-be-final alpha release of Apache HTTP Server
(aka, Apache httpd) 2.3.10-alpha is now available for download,
test and use.

Based on user and developer feedback, the next release of the
next-gen version of Apache httpd will likely be our first beta.
The hope and expectation is to push for a quick beta cycle and
a 2.4.0 GA release around the beginning of 2011.

Apache httpd 2.3.10-alpha can be found at:

	http://httpd.apache.org/

        libapreq2-2.13 Released

The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.13 release of libapreq2.  This
Announcement notes significant changes introduced by this release.

libapreq2-2.13 is released under the Apache License
version 2.0.  It is now available through the ASF mirrors

      http://httpd.apache.org/apreq/download.cgi

and has entered the CPAN as 

  file: $CPAN/authors/id/I/IS/ISAAC/libapreq2-2.13.tar.gz
  size: 891320 bytes
   md5: c11fb0861aa84dcc6cd0f0798b045eee


libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data.  This package provides

    1) version 2.8.0 of the libapreq2 library,

    2) mod_apreq2, a filter module necessary for using libapreq2
       within the Apache HTTP Server,

    3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
       perl modules for using libapreq2 with mod_perl2.

========================================================================

Changes with libapreq2-2.13 (released December 3, 2010)

- HTTP Only Cookie [Robert Stone & Adam Prime]
  The C and Perl Cookie APIs now support an HttpOnly flag to tell 
  user agents to deny client-side script access to the cookie

  The Apache Software Foundation and the Apache HTTP Server Project are
  pleased to announce the release of version 2.3.6 of mod_fcgid, a
  FastCGI implementation for Apache HTTP Server versions 2.0, 2.2, and
  future 2.4.  This version of mod_fcgid is a bug fix release.

  A fix is included for CVE-2010-3872, a potential vulnerability which
  can affect sites with untrusted FastCGI applications.

  Additionally, default configuration settings for request body handling
  have been changed to prevent large system resource use.  Administrators
  of all versions of mod_fcgid are strongly cautioned to ensure that
  FcgidMaxRequestLen is configured appropriately.

  mod_fcgid is available for download from:

    http://httpd.apache.org/download.cgi

  A full list of changes in this release follows:

  *) SECURITY: CVE-2010-3872 (cve.mitre.org)
     Fix possible stack buffer overwrite.  Diagnosed by the reporter.
     PR 49406.  [Edgar Frank <ef-lists email.de>]

  *) Change the default for FcgidMaxRequestLen from 1GB to 128K.
     Administrators should change this to an appropriate value based on
     site requirements.  [Jeff Trawick]

  *) Allow FastCGI apps more time to exit at shutdown before being
     forcefully killed.  [Jeff Trawick]

  *) Correct a problem that resulted in FcgidMaxProcesses being ignored
     in some situations.  PR 48981.  [<rkosolapov gmail.com>]

  *) Fix the search for processes with the proper vhost config when
     ServerName isn't set in every vhost or a module updates
     r->server->server_hostname dynamically (e.g., mod_vhost_cdb)
     or a module updates r->server dynamically (e.g., mod_vhost_ldap).
     [Jeff Trawick]

  *) FcgidPassHeader now maps header names to environment variable names
     in the usual manner: The header name is converted to upper case and
     is prefixed with HTTP_.  An additional environment variable is
     created with the legacy name.  PR 48964.  [Jeff Trawick]

  *) Allow processes to be reused within multiple phases of a request
     by releasing them into the free list as soon as possible.
     [Chris Darroch]

  *) Fix lookup of process command lines when using FcgidWrapper or
     access control directives, including within .htaccess files.
     [Chris Darroch]

  *) Resolve a regression in 2.3.5 with httpd 2.0.x on some Unix platforms;
     ownership of mutex files was incorrect, resulting in a startup failure.
     PR 48651.  [Jeff Trawick, <pservit gmail.com>]

  *) Return 500 instead of segfaulting when the application returns no output.
     [Tatsuki Sugiura <sugi nemui.org>, Jeff Trawick]

  *) In FCGI_AUTHORIZER role, avoid spawning a new process for every
     different HTTP request.  [Chris Darroch]

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.17 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a bug fix
   release, and a security fix release of the APR-util 1.3.10 dependency;

     * SECURITY: CVE-2010-1623 (cve.mitre.org)
       Fix a denial of service attack against apr_brigade_split_line().

     * SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
       Fix two buffer over-read flaws in the bundled copy of expat which
       could cause httpd to crash while parsing specially-crafted
       XML documents.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.2.17 is available for download from:

     http://httpd.apache.org/download.cgi

   Apache HTTP Server 2.0.64 legacy release is also currently available,
   with the same vulnerability correction as well as many others fixed in
   2.2.16 and earlier releases.  See the corresponding CHANGES files linked
   from the download page.  The Apache HTTP Project developers strongly
   encourage all users to migrate to Apache 2.2, as only limited and less
   frequent maintenance is provided for legacy versions.

   Apache 2.2 offers numerous enhancements, improvements, and performance
   boosts over the 2.0 codebase.  For an overview of new features
   introduced since 2.0 please see:

     http://httpd.apache.org/docs/2.2/new_features_2_2.html

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.17 provides the
   complete list of changes since 2.2.16.  A summary of all of the security
   vulnerabilities addressed in this and earlier releases is available:

     http://httpd.apache.org/security/vulnerabilities_22.html

   This release includes the Apache Portable Runtime (APR) version 1.4.2
   and APR Utility Library (APR-util) version 1.3.10, bundled with the tar
   and zip distributions.  The APR libraries libapr and libaprutil (and
   on Win32, libapriconv version 1.2.1) must all be updated to ensure
   binary compatibility and address many known security and platform bugs.

   This release builds on and extends the Apache 2.0 API.  Modules written
   for Apache 2.0 will need to be recompiled in order to run with Apache
   2.2, and require minimal or no source code changes.

     http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

   When upgrading or installing this version of Apache, please bear in mind
   that if you intend to use Apache with one of the threaded MPMs (other
   than the Prefork MPM), you must ensure that any modules you will be
   using (and the libraries they depend on) are thread-safe.