----- Forwarded message from Apache HTTP Server Project <wr...@apache.org> -----
> From: "Apache HTTP Server Project" <wr...@apache.org>
> Subject: [Announcement] Apache HTTP Server 2.2.25 Released
> To: annou...@subversion.apache.org
> Date: Wed, 10 Jul 2013 12:51:06 -0500
> Message-ID: <20130710125106.6a2eb0d7.wr...@rowe-clan.net>
>
> [Shared with subversion announce for significant mod_dav changes]
>
> Apache HTTP Server 2.2.25 Released
>
> The Apache Software Foundation and the Apache HTTP Server Project are
> pleased to announce the release of version 2.2.25 of the Apache HTTP
> Server ("Apache"). This version of Apache is principally a security
> and bug fix legacy release, including the following security fixes:
>
> * SECURITY: CVE-2013-1896 (cve.mitre.org)
> mod_dav: Sending a MERGE request against a URI handled by
> mod_dav_svn with the source href (sent as part of the request body
> as XML) pointing to a URI that is not configured for DAV will
> trigger a segfault.
>
> * SECURITY: CVE-2013-1862 (cve.mitre.org)
> mod_rewrite: Ensure that client data written to the RewriteLog is
> escaped to prevent terminal escape sequences from entering the
> log file.
>
> The Apache HTTP Project thanks Ben Riser and Ramiro Molina for
> bringing these issues to the attention of the project security team.
>
> Errata: the build is known to fail against OpenSSL when that library
> is built to provide no SSLv2 support whatsoever. The following patch
> will successfully build httpd 2.2.25 against such OpenSSL
> installations:
>
> http://svn.apache.org/viewvc?view=revision&revision=1501712
>
> We consider the Apache HTTP Server 2.4 release to be the best version
> of Apache available, and encourage users of 2.2 and all prior
> versions to upgrade. This 2.2 legacy release is offered for those
> unable to upgrade at this time. For further details, see:
>
> http://www.apache.org/dist/httpd/Announcement2.4.txt
>
> Apache HTTP Server 2.4 and 2.2.25 are available for download from:
>
> http://httpd.apache.org/download.cgi
>
> Please see the CHANGES_2.2 file, linked from the download page, for a
> full list of changes. A condensed list, CHANGES_2.2.25 includes only
> those changes introduced since the prior 2.2 release. A summary of
> all of the security vulnerabilities addressed in this and earlier
> releases is available:
>
> http://httpd.apache.org/security/vulnerabilities_22.html
>
> This release includes the Apache Portable Runtime (APR) version 1.4.8
> and APR Utility Library (APR-util) version 1.5.2, bundled with the
> tar and zip distributions. The APR libraries libapr and libaprutil
> (and on Win32, libapriconv version 1.2.1) must all be updated to
> ensure binary compatibility and address many known security and
> platform bugs. APR-util version 1.5 represents a minor version
> upgrade from earlier httpd 2.2 source distributions.
>
> This release builds on and extends the Apache 2.0 API and is
> superceeded by the Apache 2.4 API. Modules written for Apache 2.0
> or 2.4 will need to be recompiled in order to run with Apache 2.2,
> and most will require minimal or no source code changes.
>
> When upgrading or installing this version of Apache, please bear in
> mind that if you intend to use Apache with one of the threaded MPMs
> (other than the Prefork MPM), you must ensure that any modules you
> will be using (and the libraries they depend on) are thread-safe.
>
----- End forwarded message -----
