CVE-2017-9798 disclosed, amend CHANGES entry for

author Yann Ylavic <ylavic@apache.org>

Mon, 18 Sep 2017 21:54:15 +0000 (21:54 +0000)

committer Yann Ylavic <ylavic@apache.org>

Mon, 18 Sep 2017 21:54:15 +0000 (21:54 +0000)
author Yann Ylavic <ylavic@apache.org>
Mon, 18 Sep 2017 21:54:15 +0000 (21:54 +0000)
committer Yann Ylavic <ylavic@apache.org>
Mon, 18 Sep 2017 21:54:15 +0000 (21:54 +0000)
diff --git a/CHANGES b/CHANGES

index b2b6bada88b03930addeed2c374db837b9dd7459..109b338b7c17d2639a5eae98f061fab00287e46a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.4.28
  
+  *) SECURITY: CVE-2017-9798 (cve.mitre.org)
+     Corrupted or freed memory access. <Limit[Except]> must now be used in the
+     main configuration file (httpd.conf) to register HTTP methods before the
+     .htaccess files.  [Yann Ylavic]
+
    *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
       PR 61142.
  
@@ -13,9 +18,6 @@ Changes with Apache 2.4.28
  
    *) build: allow configuration without APR sources.  [Jacob Champion]
  
-  *) core: Disallow Methods' registration at runtime (.htaccess), they may be
-     used only if registered at init time (httpd.conf).  [Yann Ylavic]
-
    *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
       [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
        Yann Ylavic]
author	Yann Ylavic <ylavic@apache.org>
	Mon, 18 Sep 2017 21:54:15 +0000 (21:54 +0000)
committer	Yann Ylavic <ylavic@apache.org>
	Mon, 18 Sep 2017 21:54:15 +0000 (21:54 +0000)