brian 98/07/22 13:10:08
Modified: dist Announcement.html Announcement.txt Log: Get ready for wider announcement. Revision Changes Path 1.8 +78 -27 apache-site/dist/Announcement.html Index: Announcement.html =================================================================== RCS file: /export/home/cvs/apache-site/dist/Announcement.html,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- Announcement.html 1998/06/06 02:52:24 1.7 +++ Announcement.html 1998/07/22 20:10:07 1.8 @@ -1,45 +1,96 @@ <HTML> <HEAD> -<TITLE>Apache 1.3.0 Released</TITLE> +<TITLE>Apache 1.3.1 Released</TITLE> </HEAD> <BODY> -<H1>Apache 1.3.0 Released</H1> +<H1>Apache 1.3.1 Released</H1> <P> - The Apache Group is pleased to announce the release of the long - awaited 1.3.0 version of the Apache HTTP server. A dozen months, - hundreds of patches and over 100 code contributors helped make the - release of 1.3.0 a reality. +The Apache Group is pleased to announce the release of version 1.3.1 +of the Apache HTTP server. <P> - Apache 1.3.0 is the most stable version of Apache currently available; - everyone running 1.2.X servers or earlier should upgrade to 1.3, as we - will stop providing support for the 1.2.X tree, though we may make a - release of 1.2.7. At present, the Win95/NT port of Apache is not - as stable as the UNIX version. Further releases of the 1.3.x tree - will bring the Win95/NT port closer to parity. +The changes in this release consist of UNIX portability fixes, Win32 +security issues, and assorted other minor features or fixes. <P> - To grab the latest Apache distribution, check out - <A HREF="http://www.apache.org/dist/";>http://www.apache.org/dist/</A> - and the huge list of available "International Mirror Sites" at - <A HREF="http://www.apache.org/mirrors/";>http://www.apache.org/mirrors/</A> +<B>WE URGE ALL USERS RUNNING ANY PREVIOUS VERSION OF APACHE ON WIN32 +TO UPGRADE IMMEDIATELY.</B> -<P> - For an overview of new features in 1.3 please read see +<P> +Users on other platforms should review the CHANGES file and decide +on their upgrade plans; the security issues apply only to Apache +on Win32. We consider Apache 1.3.1 to be the most stable version +of Apache available. + +<P> +Apache 1.3.1 is available for download from - <A HREF="http://www.apache.org/docs/new_features_1_3.html";> - http://www.apache.org/docs/new_features_1_3.html</A> +<UL> + <A HREF="http://www.apache.org/dist/";>http://www.apache.org/dist/</A> +</UL> <P> - In general, Apache 1.3.0 offers several substantial improvements - over previous versions, including better performance, reliability - and a wider-range of supported platforms, including Windows95 and - NT. +Please see the CHANGES file in the same directory for a full list of +changes. The distribution is also available via any of the mirrors +listed at + +<UL> + <A HREF="http://www.apache.org/mirrors/";>http://www.apache.org/mirrors/</A> +</UL> + +<P> +For an overview of new features in 1.3 please see + +<UL> + <A HREF="http://www.apache.org/docs/new_features_1_3.html";>http://www.apache.org/docs/new_features_1_3.html</A> +</UL> <P> - Apache is the most popular web-server in the known universe; over - half of the servers on the Internet are running Apache or one of its - variants. +In general, Apache 1.3 offers several substantial improvements +over version 1.2, including better performance, reliability +and a wider-range of supported platforms, including Windows 95 and +NT (which both fall under the "Win32" label). +<P> +Apache is the most popular web-server in the known universe; over +half of the servers on the Internet are running Apache or one of its +variants. + +<P> +<B>IMPORTANT NOTE FOR WIN32 USERS:</B> Over the years, many users have +come to trust Apache as a secure and stable server. It must +be realized that the current Win32 code has not yet reached these +levels and should still be considered to be of beta quality. Any +Win32 stability or security problems do not impact, in any way, +Apache on other platforms. With the continued donation of time +and resources by individuals and companies, we hope that the Win32 +version of Apache will grow stronger through the 1.3.x release +cycle. + +<P>Versions of Apache on Win32 prior to version 1.3.1 are vulnerable +to a number of security holes common to several Win32 servers. +The problems that impact Apache include: + +<UL> + <LI> trailing "."s are ignored by the file system. This allowed + certain types of access restrictions to be bypassed. + <LI>directory names of three or more dots (eg. "...") are + considered to be valid similar to "..". This allowed people + to gain access to files outside of the configured document + trees. +</UL> + +<P> +There have been at least four other similar instances of the same +basic problem: on Win32, there is more than one name for a file. +Some of these names are poorly documented or undocumented, and even +Microsoft's own IIS has been vulnerable to many of these problems. +This behavior of the Win32 file system and API makes it very difficult +to insure future security; problems of this type have been known +about for years, however each specific instance has been discovered +individually. It is unknown if there are other, yet unpublicized, +filename variants. As a result, we recommend that you use extreme +caution when dealing with access restrictions on all Win32 web +servers. 1.4 +70 -30 apache-site/dist/Announcement.txt Index: Announcement.txt =================================================================== RCS file: /export/home/cvs/apache-site/dist/Announcement.txt,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- Announcement.txt 1998/06/06 02:52:24 1.3 +++ Announcement.txt 1998/07/22 20:10:07 1.4 @@ -1,32 +1,72 @@ +Apache 1.3.1 Released +===================== - Apache 1.3.0 Released - ===================== +The Apache Group is pleased to announce the release of version 1.3.1 +of the Apache HTTP server. - The Apache Group is pleased to announce the release of the long - awaited 1.3.0 version of the Apache HTTP server. A dozen months, - hundreds of patches and over 100 code contributors helped make the - release of 1.3.0 a reality. - - Apache 1.3.0 is the most stable version of Apache currently available; - everyone running 1.2.X servers or earlier should upgrade to 1.3, as we - will stop providing support for the 1.2.X tree, though we may make a - release of 1.2.7. At present, the Win95/NT port of Apache is not - as stable as the UNIX version. Further releases of the 1.3.x tree - will bring the Win95/NT port closer to parity. - - To grab the latest Apache distribution, check out - http://www.apache.org/dist/ - and the huge list of available "International Mirror Sites" at - http://www.apache.org/mirrors/ - - For an overview of new features in 1.3 please read see - http://www.apache.org/docs/new_features_1_3.html - - In general, Apache 1.3.0 offers several substantial improvements - over previous versions, including better performance, reliability - and a wider-range of supported platforms, including Windows95 and - NT. - - Apache is the most popular web-server in the known universe; over - half of the servers on the Internet are running Apache or one of its - variants. +The changes in this release consist of UNIX portability fixes, Win32 +security issues, and assorted other minor features or fixes. + +WE URGE ALL USERS RUNNING ANY PREVIOUS VERSION OF APACHE ON WIN32 +TO UPGRADE IMMEDIATELY. + +Users on other platforms should review the CHANGES file and decide +on their upgrade plans; the security issues apply only to Apache +on Win32. We consider Apache 1.3.1 to be the most stable version +of Apache available. + +Apache 1.3.1 is available for download from + + http://www.apache.org/dist/ + +Please see the CHANGES file in the same directory for a full list of +changes. The distribution is also available via any of the mirrors +listed at + + http://www.apache.org/mirrors/ + +For an overview of new features in 1.3 please see + + http://www.apache.org/docs/new_features_1_3.html + +In general, Apache 1.3 offers several substantial improvements +over version 1.2, including better performance, reliability +and a wider-range of supported platforms, including Windows 95 and +NT (which both fall under the "Win32" label). + +Apache is the most popular web-server in the known universe; over +half of the servers on the Internet are running Apache or one of its +variants. + +IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have +come to trust Apache as a secure and stable server. It must +be realized that the current Win32 code has not yet reached these +levels and should still be considered to be of beta quality. Any +Win32 stability or security problems do not impact, in any way, +Apache on other platforms. With the continued donation of time +and resources by individuals and companies, we hope that the Win32 +version of Apache will grow stronger through the 1.3.x release +cycle. + +Versions of Apache on Win32 prior to version 1.3.1 are vulnerable +to a number of security holes common to several Win32 servers. +The problems that impact Apache include: + + - trailing "."s are ignored by the file system. This allowed + certain types of access restrictions to be bypassed. + - directory names of three or more dots (eg. "...") are + considered to be valid similar to "..". This allowed people + to gain access to files outside of the configured document + trees. + +There have been at least four other similar instances of the same +basic problem: on Win32, there is more than one name for a file. +Some of these names are poorly documented or undocumented, and even +Microsoft's own IIS has been vulnerable to many of these problems. +This behavior of the Win32 file system and API makes it very difficult +to insure future security; problems of this type have been known +about for years, however each specific instance has been discovered +individually. It is unknown if there are other, yet unpublicized, +filename variants. As a result, we recommend that you use extreme +caution when dealing with access restrictions on all Win32 web +servers.
