In the announce, we should have;
proxy HTTP: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length to eliminate an HTTP Request Smuggling vulnerability, and and don't reuse the connection, stopping some HTTP Request Spoofing attacks. "The Apache httpd project thanks the Watchfire team of Linhart, Klein, Heled and Orrin for the responsible notification and disclosure of this information." Do we have an incident number for this report as it pertains to the Apache HTTP Server? I agree with Jeff after spending quite a few hours; patches to the proxy now diverge quite radically from 2.0's proxy_http.c. The band aids will land in slightly different places, but we should encourage folks to validate proper proxied header and body transmission. My goal is to tag and roll 2.0 by Friday for release early next week, unless the fixes are ready sooner. There is a list of already-accepted patches in status, if anyone wants to pick some low hanging fruit for 2.0. Bill At 01:08 PM 6/26/2005, Paul Querna wrote: >+1 for Alpha from Joe Orton, Brad Nicholes, Wilfredo Sánchez Vega, and Paul >Querna. > >Therefore, I consider 2.1.6-alpha to be released. > >I have moved the 2.1.6-alpha source files to the dist folder to be picked up >by mirrors. I will add it to the download.xml and index.xml for >httpd.apache.org later today, after giving the mirrors time to pick it up. > >Thanks to everyone who tested it, > >-Paul > >Paul Querna wrote: > >>Please vote on releasing 2.1.6 as -alpha. >> >>Available at: >>http://httpd.apache.org/dev/dist/ >>http://people.apache.org/~pquerna/dev/httpd-2.1.6/ >> >>MD5 (httpd-2.1.6-alpha.tar.gz) = 4602f254693e64293bdf36c8d066c66b >>MD5 (httpd-2.1.6-alpha.tar.bz2) = 26f457e6ab945ff1db7378a06aee046a >>MD5 (httpd-2.1.6-alpha.tar.Z) = 39a7e0e084abc45e51a57a60cde3557b >> >>Thanks, >> >>Paul >