Add CVE candidate names to the announcement mail and changes file to allow

them to be cross-referenced with other security publications easily
PR:
Obtained from:
Submitted by:
Reviewed by:

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@91364 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/Announcement b/Announcement
index 957d8ef11dc60cd9ce04516b48d80019e9fec2b3..3779e7c44ade37acb69f961c87d7d241b055fc79 100644 (file)
--- a/Announcement
+++ b/Announcement
@@ -75,14 +75,18 @@
      * A vulnerability was found in the Win32 port of Apache 1.3.20.  A
        client submitting a very long URI could cause a directory listing
        to be returned rather than the default index page. A 403 Forbidden
-       will now be returned
+       will now be returned.  CAN-2001-0729
      * A vulnerability was found in the split-logfile support program. A
        request with a specially crafted Host: header could allow any file
        with a .log extension on the system to be written to. PR#7848
+       CAN-2001-0730
      * A vulnerability was found when Multiviews are used to negotiate
        the directory index. In some configurations, requesting a URI with
        a QUERY_STRING of M=D could return a directory listing rather than
-       the expected index page.
+       the expected index page.  CAN-2001-0731
+
+     The security issues above have been assigned standardized names, CAN- 
+     by the Common Vulnerabilities and Exposures project (cve.mitre.org)
 
   New features
 

diff --git a/src/CHANGES b/src/CHANGES
index 96c2aa773172bb715230490c30bb5d03c71fdce9..fb34b38ad14e0e474e5f614a0b9411bafaa9872d 100644 (file)
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -58,7 +58,9 @@ Changes with Apache 1.3.21
      than the negotiated index.html variant that was configured and
      expected.  The work around for this problem (for pre 1.3.21
      releases) is to disable Indexes or Multiviews in the affected
-     directories. [Bill Stoddard, Bill Rowe]
+     directories.  The Common Vulnerabilities and Exposures project
+     (cve.mitre.org) has assigned the name CAN-2001-0731 to this issue.
+     [Bill Stoddard, Bill Rowe]
 
   *) Enabled Win32/OS2/Netware file paths (not / rooted, but c:/ rooted)
      as arguments for mod_vhost_alias'es directives.  [William Rowe]
@@ -78,8 +80,9 @@ Changes with Apache 1.3.21
      by using many slashes. Now a 403 FORBIDDEN is returned. This
      problem was similar to and in the same area as the problem
      reported and fixed by Martin Kraemer in 1.3.18, only the scope
-     is much narrower and is specific to Windows.
-     [Bill Stoddard]
+     is much narrower and is specific to Windows.  The Common 
+     Vulnerabilities and Exposures project (cve.mitre.org) has assigned the 
+     name CAN-2001-0729 to this issue.  [Bill Stoddard]
 
   *) Update the mime.types file to the registered media types as
      of 2001-09-25, and add xsl, so, dll extensions [Mark Cox]
@@ -166,8 +169,10 @@ Changes with Apache 1.3.21
      "/" or "\" are present in the virtual host name.  This prevents
      the possible use of specially crafted virtual host names in
      some configurations to allow writing to any .log file on the
-     system.  [Daniel Matuschek <daniel.matuschek@swisscom.com>,
-     Marc Slemko]  PR#7848
+     system.  The Common Vulnerabilities and Exposures project 
+     (cve.mitre.org) has assigned the name CAN-2001-0730 to this issue.
+     [Daniel Matuschek <daniel.matuschek@swisscom.com>,
+     Marc Slemko] PR#7848
 
   *) Added a directive: "AcceptFilter <on|off>". To control BSD 
      acccept filters when at compile time SO_ACCEPT_FILTER is