add warning about behavior change

author Eric Covener <covener@apache.org>

Thu, 16 May 2024 17:54:35 +0000 (17:54 +0000)

committer Eric Covener <covener@apache.org>

Thu, 16 May 2024 17:54:35 +0000 (17:54 +0000)
author Eric Covener <covener@apache.org>
Thu, 16 May 2024 17:54:35 +0000 (17:54 +0000)
committer Eric Covener <covener@apache.org>
Thu, 16 May 2024 17:54:35 +0000 (17:54 +0000)
diff --git a/CHANGES b/CHANGES

index 7b7b04ea388a7b5189d3808e012014b3b58b01ef..8617b705026fc4866df532af3e0eed31e96414ae 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -17,8 +17,12 @@ Changes with Apache 2.4.59
       Server allows an attacker that can inject malicious response
       headers into backend applications to cause an HTTP
       desynchronization attack.
-     Users are recommended to upgrade to version 2.4.59, which fixes
-     this issue.
+
+     After this change, CGI-like scripts cannot set Transfer-Encoding
+     or Content-Length headers.  To restore the ability to set Content-Length
+     header, set per-request environment variable 'ap_trust_cgilike_cl' to any
+     non-empty value.
+
       Credits: Keran Mu, Tsinghua University and Zhongguancun
       Laboratory.
author	Eric Covener <covener@apache.org>
	Thu, 16 May 2024 17:54:35 +0000 (17:54 +0000)
committer	Eric Covener <covener@apache.org>
	Thu, 16 May 2024 17:54:35 +0000 (17:54 +0000)