Put the SECURITY notices at the top again.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@390517 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 7a1cc3b0fd39d098807e6424665ff3d22de8fe2b..1d1a07bd1ab540ba25b0be4170bf4420acbf0c8b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,9 +1,7 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.56
 
-  *) keep the Content-Length header for a HEAD with no response body.
-     PR 18757 [Greg Ames]
-     
+    
   *) SECURITY: CVE-2005-3357 (cve.mitre.org)
      mod_ssl: Fix a possible crash during access control checks if a
      non-SSL request is processed for an SSL vhost (such as the
@@ -17,6 +15,9 @@ Changes with Apache 2.0.56
      ap_escape_html so we escape quotes.  Reported by JPCERT.
      [Mark Cox]
 
+  *) keep the Content-Length header for a HEAD with no response body.
+     PR 18757 [Greg Ames]
+ 
   *) Modify apr[util] .h detection to avoid breakage on VPATH builds
      using Solaris make (amoung others) and avoid breakage in ./buildconf
      when srclib/apr[-util] are symlinks rather than directories proper.