We will be performing apache update to 2.2.24 this week.

This would take place as far as possible during the off-peak hours. A reboot is required to complete the upgrade. The downtime should not exceed 30 minutes and it will be minimize as much as possible.


This update is scheduled as follows:

Date: 28 March 2013 (Thursday) to  31 March 2013 (Sunday)

Time: Between 2AM and 8AM EST#

This version of Apache is principally a security and bug fix release:

*) SECURITY: CVE-2012-3499 (cve.mitre.org)
Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.

*) SECURITY: CVE-2012-4558 (cve.mitre.org)
XSS in mod_proxy_balancer manager interface.

*) mod_rewrite: Stop merging RewriteBase down to subdirectories unless new option 'RewriteOptions MergeBase' is configured. Merging RewriteBase was unconditionally turned on in 2.2.23.

*) mod_ssl: Send the error message for speaking http to an https port using HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when using SNI.

*) mod_ssl: log revoked certificates at level INFO instead of DEBUG.

*) mod_proxy_ajp: Support unknown HTTP methods.

*) mod_dir: Add support for the value 'disabled' in FallbackResource.

*) mod_ldap: Fix regression in handling "server unavailable" errors on Windows.

*) mod_ssl: fix a regression with the string rendering of the "UID" RDN introduced in 2.2.15.

*) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output to more accurately report the negotiated protocol.

*) mod_cache: Explicitly allow cache implementations to cache a 206 Partial Response if they so choose to do so. Previously an attempt to cache a 206 was arbitrarily allowed if the response contained an Expires or Cache-Control header, and arbitrarily denied if both headers were missing. Currently the disk and memory cache providers do not cache 206 Partial Responses.

*) core: Remove unintentional APR 1.3 dependency introduced with Apache 2.2.22.

*) core: Use a TLS 1.0 close_notify alert for internal dummy connection in the chosen listener is configured for https.

*) mod_ssl: Add new directive SSLCompression to disable TLS-level compression.



Čtvrtek, Březen 28, 2013

<< Zpět

Powered by WHMCompleteSolution