Apache HTTP Server 2.3.8-alpha Released

 The Apache Software Foundation and the Apache HTTP Server Project are
 pleased to announce the release of version 2.3.8-alpha of the Apache HTTP
 Server ("Apache").  This version of Apache is principally an alpha release
 to test new technology and features that are incompatible or too large for
 the stable 2.2.x branch. This alpha release should not be presumed to
 be compatible with binaries built against any prior or future version.

 This release is expected to be the last alpha release; subsequent releases
 will be beta releases as we move towards 2.4.0-GA.


 Apache HTTP Server 2.3.8-alpha is available for download from:

   http://httpd.apache.org/download.cgi

 Apache 2.3 offers numerous enhancements, improvements, and performance
 boosts over the 2.2 codebase.  For an overview of new features
 introduced since 2.3 please see:

   http://httpd.apache.org/docs/trunk/new_features_2_4.html

 Please see the CHANGES_2.3 file, linked from the download page, for a
 full list of changes.

 This release includes the Apache Portable Runtime (APR) version 1.4.2
 and APR-Util version 1.3.9 in a separate -deps tarball.  The APR libraries
 must be upgraded for all features of httpd to operate correctly.

 This release builds on and extends the Apache 2.2 API.  Modules written
 for Apache 2.2 will need to be recompiled in order to run with Apache
 2.3, and require minimal or no source code changes.

   http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING

           Apache HTTP Server 2.3.6-alpha Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.3.6-alpha of the Apache HTTP
Server ("Apache").  This version of Apache is principally an alpha release
to test new technology and features that are incompatible or too large for
the stable 2.2.x branch. This alpha release should not be presumed to
be compatible with binaries built against any prior or future version.


Apache HTTP Server 2.3.6-alpha is available for download from:

http://httpd.apache.org/download.cgi

Apache 2.3 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase.  For an overview of new features
introduced since 2.3 please see:

http://httpd.apache.org/docs/trunk/new_features_2_4.html

Please see the CHANGES_2.3 file, linked from the download page, for a
full list of changes.

This release includes the Apache Portable Runtime (APR) version 1.4.2
and APR-Util version 1.3.9 in a separate -deps tarball.  The APR libraries
must be upgraded for all features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API.  Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.3, and require minimal or no source code changes.

http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING

Vulnerability; httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068

Classification; important

Description;

    A timeout detection flaw in the httpd mod_proxy_http module causes
    proxied response to be sent as the response to a different request,
    and potentially served to a different client, from the HTTP proxy
    pool worker pipeline.

    This may represent a confidential data revealing flaw.

    This affects only Netware, Windows or OS2 builds of httpd version
    2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha, when the proxy
    worker pools have been enabled.  Earlier 2.2, 2.0 and 1.3 releases
    were not affected.

Acknowledgements;

    We would like to thank Loren Anderson for the thorough research
    and reporting of this flaw.

Mitigation;

    Apply any one of the following mitigations to avert the possibility
    of confidential information disclosure.

    * Do not load mod_proxy_http.

    * Do not configure/enable any http proxy worker pools with ProxySet
      or ProxyPass optional arguments.

    * The straightforward workaround to disable mod_proxy_http's reuse
      of backend connection pipelines is to set the following global
      directive;

        SetEnv proxy-nokeepalive 1

    * Replace mod_proxy_http.so with a patched version, for source code
      see http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/ or
      http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/ and for
      binaries see the http://www.apache.org/dist/httpd/binaries/ tree
      for win32 or netware, as appropriate.

    * Upgrade to Apache httpd 2.2.16 or higher, once released.  There
      is no tentative release date scheduled.

Update Released; 11th June 2010

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
Any way w <img src="cid:1346be5e05ed21d309cf2020100416200111"> ith an electronic work
by people who agree to be bound by the terms of this agreement. There are a few things that
you can do with most Project Gutenberg-tm electronic works even without complying with the
full terms of this agreement.<br />
See paragraph 1.C below. There are a lot of things you can do with Project Gutenberg-tm electronic<br
/>
works if you follow the terms of this agreement and help preserve free future access to Project
Gutenberg-tm<br />
electronic works. See paragraph 1.E<br />
below. 1.C. The Project Gutenberg Literary Archive Foundation ("the Foundation" or PGLAF),
owns a compilation copyright in the<br />
collection of Project Gutenberg-tm electronic works. Nearly<br />
all the individual works in the collection are in 
</body>
</html>

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release and immediate availability of version
2.2.15 of the Apache HTTP Server ("httpd").  This version of httpd is
principally a security and bug fix release.

Notably, this release was updated to reflect the OpenSSL Project's
release 0.9.8m of the openssl library, and addresses CVE-2009-3555
(cve.mitre.org), the TLS renegotiation prefix injection attack.
This release further addresses the issues CVE-2010-0408, CVE-2010-0425
and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers
respectively.

We consider this release to be the best version of httpd available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.15 is available for download from:

  http://httpd.apache.org/download.cgi

Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes.  A condensed list, CHANGES_2.2.15 provides the
complete list of changes since 2.2.14. A summary of security
vulnerabilities which were addressed in the previous 2.2.14 and earlier
releases is available:

  http://httpd.apache.org/security/vulnerabilities_22.html

Apache HTTP Server 2.2.15 is compatible with Apache Portable Runtime
(APR) versions 1.3 and 1.4, APR-util library version 1.3, and
APR-iconv library version 1.2.  The most current releases should
be used to address known security and platform bugs.  At the time of
this httpd release, the recommended APR releases are:

  * Apache Portable Runtime (APR) library version 1.4.2 (bundled),
    or at minimum, version 1.3.12
  * ARR-util library version 1.3.9 (bundled)
  * APR-iconv library version 1.2.1 (only bundled in win32-src.zip)

Older releases of these libraries have known vulnerabilities or other
defects affecting httpd.  For further information and downloads, visit:

  http://apr.apache.org/

Apache HTTP Server 2.2 offers numerous enhancements, bug fixes, and
performance enhancements over the 2.0 codebase.  For an overview of
new features introduced since 2.0 please see:

  http://httpd.apache.org/docs/2.2/new_features_2_2.html

This release builds upon and extends the httpd 2.0 API.  Modules written
for httpd 2.0 will need to be recompiled in order to run with httpd 2.2,
and may require minimal or no source code changes.

When upgrading or installing this version of httpd, please bear in mind
that if you intend to use httpd with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.

                       Apache HTTP Server 1.3.42 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 1.3.42 of the Apache HTTP
   Server ("Apache"). This release is intended as the final release of
   version 1.3 of the Apache HTTP Server, which has reached end of life
   status.

   There will be no more full releases of Apache HTTP Server 1.3.
   However, critical security updates may be made available from the
   following website:

        http://www.apache.org/dist/httpd/patches/ 
   
   Our thanks go to everyone who has helped make Apache HTTP Server 1.3
   the most successful, and most used, webserver software on the planet!

   This Announcement notes the significant changes in
   1.3.42 as compared to 1.3.41.

   This version of Apache is is principally a bug and security fix release.
   The following moderate security flaw has been addressed:

     * CVE-2010-0010 (cve.mitre.org)
       mod_proxy: Prevent chunk-size integer overflow on platforms
       where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.

   Please see the CHANGES_1.3.42 file in this directory for a full list
   of changes for this version.

   Apache 1.3.42 is the final stable release of the Apache 1.3 family. We
   strongly recommend that users of all earlier versions, including 1.3
   family releases, upgrade to to the current 2.2 version as soon as possible.
   For information about how to upgrade, please see the documentation:
          
	  http://httpd.apache.org/docs/2.2/upgrading.html


   Apache 1.3.42 is available for download from

           http://httpd.apache.org/download.cgi

   This service utilizes the network of mirrors listed at:

           http://www.apache.org/mirrors/

   Binary distributions may be available for your specific platform from

           http://www.apache.org/dist/httpd/binaries/

   Binaries distributed by the Apache HTTP Server Project are provided as a
   courtesy by individual project contributors. The project makes no
   commitment to release the Apache HTTP Server in binary form for any
   particular platform, nor on any particular schedule.

   IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS
   variants. While the ports to non-Unix platforms (such as Win32, Netware or
   OS2) will function for some applications, Apache 1.3 is not designed for
   these platforms. Apache 2 was designed from the ground up for security,
   stability, or performance issues across all modern operating systems.
   Users of any non-Unix ports are strongly cautioned to move to Apache 2.

   The Apache project no longer distributes non-Unix platform binaries from
   the main download pages for Apache 1.3. If absolutely necessary, a binary
   may be available at http://archive.apache.org/dist/httpd/.

Apache 1.3.42 Major changes

  Security vulnerabilities

   The main security vulnerabilities addressed in 1.3.42 are:

  *) SECURITY: CVE-2010-0010 (cve.mitre.org)
     mod_proxy: Prevent chunk-size integer overflow on platforms
     where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.

  Bugfixes addressed in 1.3.42 are:

  *) Protect logresolve from mismanaged DNS records that return
     blank/null hostnames. 

-- 
Colm MacCárthaigh

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Apache HTTP Server 2.3.5-alpha Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.3.5-alpha of the Apache HTTP
Server ("Apache").  This version of Apache is principally an alpha release
to test new technology and features that are incompatible or too large for
the stable 2.2.x branch. This alpha release should not be presumed to
be compatible with binaries built against any prior or future version.


Apache HTTP Server 2.3.5-alpha is available for download from:

  http://httpd.apache.org/download.cgi

Apache 2.3 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase.  For an overview of new features
introduced since 2.3 please see:

  http://httpd.apache.org/docs/trunk/new_features_2_4.html

Please see the CHANGES_2.3 file, linked from the download page, for a
full list of changes.

This release includes the Apache Portable Runtime (APR) version 1.4.2
and APR-Util version 1.3.9 in a separate -deps tarball.  The APR libraries
must be upgraded for all features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API.  Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.3, and require minimal or no source code changes.

  http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEARECAAYFAkth7HAACgkQ94h19kJyHwDjxwCeP4E1Xpts6XJO3wua1Hm2Ds8A
hi0An2MCpiAdVGKQLjrK5ixxzaAq1kIg
=+YL2
-----END PGP SIGNATURE-----

Ciao [email protected],

Abbiamo ricevuto la tua richiesta di iscrizione al gruppo perlulivo 
uno dei gruppi che trovi su Yahoo! Gruppi, un servizio gratuito e
facile da usare per creare ed entrare a far parte di tante community.

Questa richiesta scade fra 7 giorni.

PER ISCRIVERTI AL GRUPPO DEVI: 

1) Andare su Yahoo! Gruppi cliccando su questo link:

   http://it.groups.yahoo.com/i?i=eecdlcvukwi1ahar5rvg4css40rxcxgk&e=announce-archive%40httpd%2Eapache%2Eorg


  (Se cliccando sul link non ti si apre una finestra di browser, prova
   a fare copiare l'indirizzo e incollarlo su una finestra di browser.)

-OPPURE-

2) RISPONDI a questo messaggio e-mail cliccando su pulsante "Rispondi"
   e poi su quelli di "Invia" sul tuo programma di posta

Se non hai richiesto questa iscrizione a perlulivo,
o non desideri più completarla, ignora questo messaggio..

Ciao,

Il team di Yahoo! Gruppi
L'utilizzo di Yahoo! Gruppi è soggetto alle  http://it.docs.yahoo.com/info/utos.html 

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Subject: CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation

Apache httpd is affected by CVE-2009-3555[1] (The SSL Injection 
or MiM attack[2]).

The Apache httpd webserver relies on OpenSSL for the implementation of 
the SSL/TLS protocol.

We strongly urge you to upgrade to OpenSSL 0.9.8l; and to be prepared 
to deploy OpenSSL 0.9.8m as it becomes available[3]. 

Note that these are for short term and mid-term mitigation only; the 
long term solution may well require a modification of the SSL and/or 
TLS protocols[4].

For those who are not able to upgrade OpenSSL swiftly and/or for 
those who need detailed logging - we recommend that you roll out 
this patch[5]:

  http://www.apache.org/dist/httpd/patches/
       apply_to_2.2.14 CVE-2009-3555-2.2.patch
 sha1: 28cd58f3758f1add39417333825b9d854f4f5f43

as soon as possible. This is a partial fix in lieu of the protocol 
issues being addressed and further changes to OpenSSL. Like the 
OpenSSL 0.9.8l stopgap measure this patch rejects 
in-session renegotiation.

If you are unable to patch and unable to roll our a newer version of 
OpenSSL, and you rely on Client Side Authentication with Certificates 
then we recommend that you 1) ensure that you limit your configuration 
to a single 'SSLClient require' on VirtualHost/Sever level and 2) 
remove all other (re)negotiation/require directives. However this does 
NOT fully protect you - it just curtails authentication in this 
specific setting.



1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
2: http://www.links.org/?p=780, http://extendedsubset.com/?p=8
3: http://www.openssl.org/source/
   openssl-announce mailing list on
   http://www.openssl.org/support/community.html
4: http://www.ietf.org/mail-archive/web/tls/current/msg03963.html
5: svn diff -r833581:833594 https://svn.apache.org/repos/asf/
   httpd/httpd/trunk/modules/ssl 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQCVAwUBSvTOITGmPZbsFAuBAQKpXgQAgoBq0FjmnFwxBYjZQ05cPgHYzE+rBQHg
f142MZWXreBoZyB1pV2CJpmf7BWtmBKQgKIMwk3fWfRs33rvnjhEWjrMBFA4ID8J
0CBLmiwBVxLfCTj7YIBJ71VPn4Mw3iviiIUb1qrW0RaOjGgf4j2ffsapnlpR6lR9
JHDVPFBXl8s=
=OYuY
-----END PGP SIGNATURE-----

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.13 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a security
   and bug fix release.  Notably, this version bundles the APR Library
   version 1.3.8 and APR Utility Library version 1.3.9, which address
   a security concern which may be triggered by some third party modules.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.2.13 is available for download from:

     http://httpd.apache.org/download.cgi

   Apache 2.2 offers numerous enhancements, improvements, and performance
   boosts over the 2.0 codebase.  For an overview of new features
   introduced since 2.0 please see:

     http://httpd.apache.org/docs/2.2/new_features_2_2.html

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.13 provides the
   complete list of changes since 2.2.12. A summary of security
   vulnerabilities which were addressed in the previous 2.2.12 and earlier
   releases is available:

     http://httpd.apache.org/security/vulnerabilities_22.html

   Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also currently
   available.  See the appropriate CHANGES from the url above.  See the
   corresponding CHANGES files linked from the download page.  The Apache
   HTTP Project developers strongly encourage all users to migrate to
   Apache 2.2, as only limited maintenance is performed on these legacy
   versions.

   This release includes the Apache Portable Runtime (APR) version 1.3.8
   bundled with the tar and zip distributions.  The APR libraries libapr
   and libaprutil (and on Win32, libapriconv) must all be updated to ensure
   binary compatibility and address many known security and platform bugs.

   This release builds on and extends the Apache 2.0 API.  Modules written
   for Apache 2.0 will need to be recompiled in order to run with Apache
   2.2, and require minimal or no source code changes.

     http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

   When upgrading or installing this version of Apache, please bear in mind
   that if you intend to use Apache with one of the threaded MPMs (other
   than the Prefork MPM), you must ensure that any modules you will be
   using (and the libraries they depend on) are thread-safe.