For the recent mod_negotiation patch

author Bill Stoddard <stoddard@apache.org>

Tue, 2 Oct 2001 19:35:30 +0000 (19:35 +0000)

committer Bill Stoddard <stoddard@apache.org>

Tue, 2 Oct 2001 19:35:30 +0000 (19:35 +0000)
author Bill Stoddard <stoddard@apache.org>
Tue, 2 Oct 2001 19:35:30 +0000 (19:35 +0000)
committer Bill Stoddard <stoddard@apache.org>
Tue, 2 Oct 2001 19:35:30 +0000 (19:35 +0000)
diff --git a/src/CHANGES b/src/CHANGES

index 3bae7399a4f049112e4cef0d5b9645f9c4f47930..584af9fb7932c02f54a6b0c0c06a30574cc63a93 100644 (file)
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,4 +1,12 @@
  Changes with Apache 1.3.21
+  *) Security: Close autoindex /?M=D directory listing hole reported
+     in bugtraq id 3009.  In some configurations where multiviews and 
+     indexes are enabled for a directory, requesting URI /?M=D could
+     result in a directory listing being returned to the client rather
+     than the negotiated index.html variant that was configured and
+     expected.  The work around for this problem (for pre 1.3.21
+     releases) is to disable Indexes or Multiviews in the affected
+     directories. [Bill Stoddard, Bill Rowe]
  
    *) Enabled Win32/OS2/Netware file paths (not / rooted, but c:/ rooted)
       as arguments for mod_vhost_alias'es directives.  [William Rowe]
author	Bill Stoddard <stoddard@apache.org>
	Tue, 2 Oct 2001 19:35:30 +0000 (19:35 +0000)
committer	Bill Stoddard <stoddard@apache.org>
	Tue, 2 Oct 2001 19:35:30 +0000 (19:35 +0000)