Apache 1.3.34 Major changes Security vulnerabilities The main security vulnerabilities addressed in 1.3.34 are: * If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. * Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method. New features New features that relate to specific platforms: * None New features that relate to specific platforms: * None Bugs fixed The following bugs were found in Apache 1.3.33 (or earlier) and have been fixed in Apache 1.3.34: * hsregex: Fix potential core dumping on 64 bit machines, such as AMD64. PR 31858. * mod_digest: Fix another nonce string calculation issue. CHANGES: http://www.apache.org/dist/httpd/CHANGES_1.3 Announcement: http://www.apache.org/dist/httpd/Announcement1.3.html Reproducible: Always Steps to Reproduce: 1. 2. 3.
*** Bug 113977 has been marked as a duplicate of this bug. ***
New versions in CVS.
Arches please test and mark stable: apache-1.3.34 mod_ssl-2.8.25
sparc stable.
ppc, hppa done.
as kloeri just pointed out to me, we are still supporting the old-style apache configuration for the time being. I'm going to do the following: apache-1.3.34 will get moved to apache-1.3.34-r10 mod_ssl-2.8.25 will get moved to mod_ssl-2.8.25-r10 I will add the following for the old-style configuration: apache-1.3.34-r1 mod_ssl-2.8.25-r1 Please hold off on marking stable until I've gotten this taken care of.
Revisions for old-style and new-style are in the tree. new-style: apache-1.3.34-r10 mod_ssl-2.8.25-r10 old-style: apache-1.3.34-r1 mod_ssl-2.8.25-r1 The GLSA if issued will need to provide upgrade instructions for both old-style and new-style. Previous versions: old-style is any version of apache lower then 1.3.33-r10 and mod_ssl-2.8.24 new-style is any version of apache 1.3.33-r10 and above and mod_ssl-2.8.24-r1
Stable on alpha, ia64 and x86.
re-cc'ing previously stabled arches to mark the new ebuild revisions stable because of the old/new-style config system (see comment #6 and #7).
You missed the Ccs...
Stable on ppc and hppa.
amd64 done, ppc64 was forgotten
stable on ppc64
Ready for GLSA vote. Tend to say no here.
I tend to vote NO too.
I'm sorry guys, somehow my post about stabilizing didn't reach bugzilla :-/
Voting no and closing.