Changes with Apache 1.3.33
- *) SECURITY: CAN-2004-0940 (cve.mitre.org)
+ *) SECURITY: CVE-2004-0940 (cve.mitre.org)
mod_include: Fix potential buffer overflow with escaped characters
in SSI tag string. [Martin Kraemer, Jim Jagielski]
*) Win32: Improve error reporting after a failed attempt to spawn a
piped log process or rewrite map process. [Jeff Trawick]
- *) SECURITY: CAN-2004-0492 (cve.mitre.org)
+ *) SECURITY: CVE-2004-0492 (cve.mitre.org)
Reject responses from a remote server if sent an invalid (negative)
Content-Length. [Mark Cox]
Changes with Apache 1.3.31
- *) SECURITY: CAN-2003-0987 (cve.mitre.org)
+ *) SECURITY: CVE-2003-0987 (cve.mitre.org)
Verification as to whether the nonce returned in the client response
is one we issued ourselves by means of a AuthDigestRealmSeed secret
exposed as an md5(). See mod_digest documentation for more details.
connections when invalid IPs are accessed. PR 27542.
[Alexander Prohorenko <white extrasy.net>]
- *) SECURITY: CAN-2004-0174 (cve.mitre.org)
+ *) SECURITY: CVE-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived
connection on a rarely-accessed listening socket will cause a
child to hold the accept mutex and block out new connections until
Changes with Apache 1.3.29
- *) SECURITY: CAN-2003-0542 (cve.mitre.org)
+ *) SECURITY: CVE-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures.
[André Malo]
Changes with Apache 1.3.28
- *) SECURITY: CAN-2003-0460 (cve.mitre.org)
+ *) SECURITY: CVE-2003-0460 (cve.mitre.org)
Fix the rotatelogs support program on Win32 and OS/2 to ignore
special control characters received over the pipe. Previously
such characters could cause rotatelogs to quit logging and exit.
UseCanonicalName is set to Off and a server is being run at
a domain that allows wildcard DNS. [Matthew Murphy]
- *) SECURITY: CAN-2002-0843 (cve.mitre.org)
+ *) SECURITY: CVE-2002-0843 (cve.mitre.org)
Fix some possible overflows in ab.c that could be exploited by
a malicious server. Reported by David Wagner. [Jim Jagielski]
cruft. This patch allows us to tailor/control this properly by
allowing simple wildcards such as *.conf. [Dirk-Willem van Gulik]
- *) SECURITY: CAN-2002-0839 (cve.mitre.org)
+ *) SECURITY: CVE-2002-0839 (cve.mitre.org)
Add the new directive 'ShmemUIDisUser'. By default, Apache
will no longer set the uid/gid of SysV shared memory scoreboard
to User/Group, and it will therefore stay the uid/gid of
Netscape-4.x Roaming Profiles (on a DAV-enabled server)
[Martin Kraemer]
- *) SECURITY: CAN-2003-0083 (cve.mitre.org)
+ *) SECURITY: CVE-2003-0083 (cve.mitre.org)
Disallow anything but whitespace on the request line after the
HTTP/x.y protocol string. That prevents arbitrary user input
from ending up in the access_log and error_log. Also, special
*) PORT: Some Cygwin changes, esp. improvements for dynamic loading,
and cleanups. [Stipe Tolj <tolj wapme-systems.de>]
- *) Win32 SECURITY: CAN-2001-0729 (cve.mitre.org)
+ *) Win32 SECURITY: CVE-2001-0729 (cve.mitre.org)
The default installation could lead to mod_negotiation
and mod_dir/mod_autoindex displaying a directory listing instead of
the index.html.* files, if a very long path was created artificially
*) Apache on Win9x now ensures the service is stopped before removal.
[William Rowe]
- *) SECURITY: CAN-2001-0925 (cve.mitre.org)
+ *) SECURITY: CVE-2001-0925 (cve.mitre.org)
The default installation could lead to mod_negotiation
and mod_dir/mod_autoindex displaying a directory listing instead of
the index.html.* files, if a very long path was created artificially
for modules and executables dynamically linked to the core.
[William Rowe; Jim Patterson <jim-patterson ncf.ca>]
- *) SECURITY: CAN-2000-1204 (cve.mitre.org)
+ *) SECURITY: CVE-2000-1204 (cve.mitre.org)
Prevent the source code for CGIs from being revealed when
using mod_vhost_alias and the CGI directory is under the document root
and a user makes a request like http://www.example.com//cgi-bin/cgi
the given character set on any document that does not have one
explicitly specified in the headers. [Marc Slemko, Jim Jagielski]
- *) SECURITY: CAN-2000-1205 (cve.mitre.org)
+ *) SECURITY: CVE-2000-1205 (cve.mitre.org)
Properly escape various messages output to the client from a number
of modules and places in the core code. [Marc Slemko]
- *) SECURITY: CAN-2000-1205 (cve.mitre.org)
+ *) SECURITY: CVE-2000-1205 (cve.mitre.org)
Change mod_actions, mod_autoindex, mod_expires, and mod_log_config to
not consider any parameters such as charset when making decisions
based on content type. This does remove some functionality for
want to set things on a per charset basis is necessary in the future.
[Marc Slemko]
- *) SECURITY: CAN-2000-1205 (cve.mitre.org)
+ *) SECURITY: CVE-2000-1205 (cve.mitre.org)
mod_include now entity encodes output from "printenv" and "echo var"
by default. The encoding for "echo var" can be set to URL encoding
or no encoding using the new "encoding" attribute to the echo tag.
*) Add back support for UseCanonicalName in <Directory> containers
[Manoj Kasichainula]
- *) SECURITY: CAN-2000-1206 (cve.mitre.org)
+ *) SECURITY: CVE-2000-1206 (cve.mitre.org)
More rigorous checking of Host: headers to fix security
problems with mass name-based virtual hosting (whether using mod_rewrite
or mod_vhost_alias).
projects / thirdparty / apache / httpd.git / commitdiff
