Update Announcement and note other contribs for the

nonce issue.

PR:
Obtained from:
Submitted by:
Reviewed by:

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@103554 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/Announcement b/Announcement
index 4491499e369233006aca2c6b458086ee519118f2..515aae1c11025565c65d89d1eeb9d2d8b81cb7d4 100644 (file)
--- a/Announcement
+++ b/Announcement
@@ -1,11 +1,11 @@
 
-                   Apache HTTP Server 1.3.30 Released
+                   Apache HTTP Server 1.3.31 Released
 
    The Apache Software Foundation and The Apache HTTP Server Project are
-   pleased to announce the release of version 1.3.30 of the Apache HTTP
+   pleased to announce the release of version 1.3.31 of the Apache HTTP
    Server ("Apache").  This Announcement notes the significant changes
-   in 1.3.30 as compared to 1.3.29.  The Announcement is also available
-   in German, Spanish and Japanese from:
+   in 1.3.31 as compared to 1.3.29 (1.3.30 was not released).  The
+   Announcement is also available in German, Spanish and Japanese from:
 
         http://www.apache.org/dist/httpd/Announcement.html.de
         http://www.apache.org/dist/httpd/Announcement.html.es
@@ -14,9 +14,13 @@
    This version of Apache is principally a bug and security fix release.
    A partial summary of the bug fixes is given at the end of this document.
    A full listing of changes can be found in the CHANGES file.  Of
-   particular note is that 1.3.30 addresses and fixes 3 potential
+   particular note is that 1.3.31 addresses and fixes 4 potential
    security issues:
 
+     o CAN-2003-0987 (cve.mitre.org)
+       Verification as to whether the nonce returned in the client response
+       is one we issued ourselves.
+
      o CAN-2003-0020 (cve.mitre.org)
        Escape arbitrary data before writing into the errorlog.
 
@@ -31,12 +35,12 @@
        netmask; issue is only known to affect big-endian 64-bit
        platforms
 
-   We consider Apache 1.3.30 to be the best version of Apache 1.3 available
+   We consider Apache 1.3.31 to be the best version of Apache 1.3 available
    and we strongly recommend that users of older versions, especially of
    the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
    releases will be made in the 1.2.x family.
 
-   Apache 1.3.30 is available for download from:
+   Apache 1.3.31 is available for download from:
    
        http://httpd.apache.org/download.cgi
 
@@ -85,10 +89,14 @@
    Apache 2.0 for better performance, stability and security on their
    platforms.
 
-                     Apache 1.3.30 Major changes
+                     Apache 1.3.31 Major changes
 
   Security vulnerabilities
 
+     * CAN-2003-0987 (cve.mitre.org)
+       Verification as to whether the nonce returned in the client response
+       is one we issued ourselves.
+
      * CAN-2003-0020 (cve.mitre.org)
        Escape arbitrary data before writing into the errorlog.
 
@@ -127,7 +135,7 @@
   Bugs fixed
 
    The following noteworthy bugs were found in Apache 1.3.29 (or earlier)
-   and have been fixed in Apache 1.3.30:
+   and have been fixed in Apache 1.3.31:
 
      * Fix memory corruption problem with ap_custom_response() function.
        The core per-dir config would later point to request pool data

diff --git a/src/CHANGES b/src/CHANGES
index 52e0451bd628cca166b7ae2486eb13a25ecdcbc4..b43718de69a06b26419597c82ed4936ab9240f79 100644 (file)
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -5,7 +5,7 @@ Changes with Apache 1.3.31
      is one we issued ourselves by means of a AuthDigestRealmSeed secret
      exposed as an md5(). See mod_digest documentation for more details.
      The experimental mod_auth_digest.c does not have this issue. 
-     [Dirk-Willem van Gulik]
+     [Dirk-Willem van Gulik, Jeff Trawick, Jim Jagielski]
 
 Changes with Apache 1.3.30