Note related risk at the end of the SECURITY CHANGES list for 2.0.65

author William A. Rowe Jr <wrowe@apache.org>

Wed, 26 Jun 2013 17:28:06 +0000 (17:28 +0000)

committer William A. Rowe Jr <wrowe@apache.org>

Wed, 26 Jun 2013 17:28:06 +0000 (17:28 +0000)
author William A. Rowe Jr <wrowe@apache.org>
Wed, 26 Jun 2013 17:28:06 +0000 (17:28 +0000)
committer William A. Rowe Jr <wrowe@apache.org>
Wed, 26 Jun 2013 17:28:06 +0000 (17:28 +0000)
diff --git a/CHANGES b/CHANGES

index 8839da479d1bb13d7772d2ffb30d7da1fd41f073..d4d5f3e084c4bf8e97e996009472f692379fe5bf 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -28,6 +28,12 @@ Changes with Apache 2.0.65
       is enabled, could allow local users to gain privileges via a .htaccess
       file. [Stefan Fritsch, Greg Ames]
  
+       NOTE: it remains possible to exhaust all memory using a carefully
+       crafted .htaccess rule, which will not be addressed in 2.0; enabling 
+       processing of .htaccess files authored by untrusted users is the root
+       of such security risks.  Upgrade to httpd 2.2.25 or later to limit
+       this specific risk.
+
    *) core: Add MaxRanges directive to control the number of ranges permitted
       before returning the entire resource, with a default limit of 200.
       [Eric Covener, Rainer Jung]
author	William A. Rowe Jr <wrowe@apache.org>
	Wed, 26 Jun 2013 17:28:06 +0000 (17:28 +0000)
committer	William A. Rowe Jr <wrowe@apache.org>
	Wed, 26 Jun 2013 17:28:06 +0000 (17:28 +0000)