Work on announcement

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@396531 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/Announcement b/Announcement
index c14fb743691406fac598d09df8546bf00692cc84..6e8ba8493d844cbf18672ed5c5ccc0b9fb961521 100644 (file)
--- a/Announcement
+++ b/Announcement
@@ -1,30 +1,23 @@
 
-                   Apache HTTP Server 1.3.34 Released
+                   Apache HTTP Server 1.3.35 Released
 
    The Apache Software Foundation and The Apache HTTP Server Project are
    pleased to announce the release of version 1.3.34 of the Apache HTTP
    Server ("Apache").  This Announcement notes the significant changes
-   in 1.3.34 as compared to 1.3.33.
-
-   The Announcement is also available in German and Japanese from:
-
-        http://www.apache.org/dist/httpd/Announcement.txt.de
-        http://www.apache.org/dist/httpd/Announcement.txt.ja
+   in 1.3.35 as compared to 1.3.34.
 
    This version of Apache is principally a bug and security fix release.
    A partial summary of the bug fixes is given at the end of this document.
    A full listing of changes can be found in the CHANGES file.  Of
-   particular note is that 1.3.34 addresses and fixes 2 potential
-   security issues:
-
-     o If a request contains both Transfer-Encoding and 
-       Content-Length headers, remove the Content-Length, mitigating some 
-       HTTP Request Splitting/Spoofing attacks.
+   particular note is that 1.3.35 addresses and fixes 1 potential
+   security issue:
 
-     o Added TraceEnable [on|off|extended] per-server directive to alter
-       the behavior of the TRACE method.
+     o CVE-2005-3352 (cve.mitre.org)
+       mod_imap: Escape untrusted referer header before outputting in HTML
+       to avoid potential cross-site scripting.  Change also made to
+       ap_escape_html so we escape quotes.  Reported by JPCERT
 
-   We consider Apache 1.3.34 to be the best version of Apache 1.3 available
+   We consider Apache 1.3.35 to be the best version of Apache 1.3 available
    and we strongly recommend that users of older versions, especially of
    the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
    releases will be made in the 1.2.x family.
@@ -72,33 +65,25 @@
    non-Unix ports do not generally apply to the Unix version, due to
    software's Unix origin.
 
-   Apache 2.0 has been structured for multiple operating systems from its 
+   Apache 2.0/2.2 has been structured for multiple operating systems from its 
    inception, by introducing the Apache Portability Library and MPM modules.
    Users on Unix and non-Unix platforms are strongly encouraged to move up to 
-   Apache 2.0 for better performance, stability and security on their
-   platforms. We consider Apache 2.0.55 to be the best available version at
-   the time of this release.  We offer Apache 1.3.34 as the best legacy
-   version of Apache 1.3 available, and strongly recommend that users who
-   require compatibility with existing Apache 1.3 installations should
+   Apache 2.0/2.2 for better performance, stability and security on their
+   platforms. We consider Apache 2.0.57 and 2.2.2 to be the best available
+   versions at the time of this release.  We offer Apache 1.3.35 as the best
+   legacy  version of Apache 1.3 available, and strongly recommend that users
+   who require compatibility with existing Apache 1.3 installations should
    upgrade as soon as possible.  Users should first consider upgrading to
    the current release of Apache 2 instead.
 
-                     Apache 1.3.34 Major changes
+                     Apache 1.3.35 Major changes
 
   Security vulnerabilities
 
-     * SECURITY: core: If a request contains both Transfer-Encoding and 
-       Content-Length headers, remove the Content-Length, mitigating some 
-       HTTP Request Splitting/Spoofing attacks.  This has no impact on
-       mod_proxy_http, yet affects any module which supports chunked
-       encoding yet fails to prefer T-E: chunked over the Content-Length
-       purported value.
-
-     * Added TraceEnable [on|off|extended] per-server directive to alter
-       the behavior of the TRACE method.  This addresses a flaw in proxy
-       conformance to RFC 2616 - previously the proxy server would accept
-       a TRACE request body although the RFC prohibited it.  The default
-       remains 'TraceEnable on'.
+     * SECURITY: CVE-2005-3352 (cve.mitre.org)
+       mod_imap: Escape untrusted referer header before outputting in HTML
+       to avoid potential cross-site scripting.  Change also made to
+       ap_escape_html so we escape quotes.  Reported by JPCERT.
 
   New features
 
@@ -108,13 +93,15 @@
 
    New features that relate to all platforms:
 
-     * None
+     * core: Allow usage of the "Include" configuration directive within
+       previously "Include"d files. [Colm MacCarthaigh]
 
   Bugs fixed
 
-   The following noteworthy bugs were found in Apache 1.3.33 (or earlier)
-   and have been fixed in Apache 1.3.34:
+   The following noteworthy bugs were found in Apache 1.3.34 (or earlier)
+   and have been fixed in Apache 1.3.35:
+
+     * HTML-escape the Expect error message.
 
-     * hsregex: fix potential core dumping on 64 bit machines, such as
-       AMD64. PR 31858.
-     * mod_digest: Fix another nonce string calculation issue.
+     * mod_cgi: Remove block on OPTIONS method so that scripts can
+     respond to OPTIONS directly rather than via server default.