Changes with Apache 1.3.25
- *) Code changes required to address and close the security
- issues in CAN-2002-0392 (mitre.org) [CERT VU#944335].
+ *) SECURITY: Code changes required to address and close the
+ security issues in CAN-2002-0392 (cve.mitre.org) [CERT VU#944335].
To support this, we utilize the ANSI functionality of
strtol, and provide ap_strtol for completeness.
[The whole gang]
*) Fixed a segfault in mod_include when #if, #elif, #else, or #endif
directives were improperly terminated. [Cliff Woolley]
- *) Win32 Security: CAN-2002-0061
+ *) Win32 SECURITY: CAN-2002-0061 (cve.mitre.org)
Introduce proper escaping of command.com and cmd.exe for Win32.
These patches close vulnerability CAN-2002-0061, identified and
reported by Ory Segal <ory.segal@sanctuminc>, by which any CGI
just happened to be index.html.zh.Big5.
[Bill Stoddard, Bill Rowe] PR #8130
- *) Security: Close autoindex /?M=D directory listing hole reported
+ *) SECURITY: Close autoindex /?M=D directory listing hole reported
in bugtraq id 3009. In some configurations where multiviews and
indexes are enabled for a directory, requesting URI /?M=D could
result in a directory listing being returned to the client rather
*) Autodetect if platforms have isnan() and/or isinf() for use in
ap_snprintf.c. [Jim Jagielski]
- *) Security/DoS: Correct a vulnerability in the Win32 and OS2 ports, by which a
+ *) SECURITY DoS: CAN-2001-1342 (cve.mitre.org)
+ Correct a vulnerability in the Win32 and OS2 ports, by which a
client submitting a carefully constructed URI could cause a GP
(segment) fault in the child process, which would have to be
cleared by the operator to resume operation. This vulnerability
*) SECURITY: The default installation could lead to mod_negotiation
and mod_dir/mod_autoindex displaying a directory listing instead of
the index.html.* files, if a very long path was created artificially
- by using many slashes. Now a 403 FORBIDDEN is returned. CAN-2001-0925.
+ by using many slashes. Now a 403 FORBIDDEN is returned. CAN-2001-0925
+ (cve.mitre.org)
[Martin Kraemer]
*) Trailing slashes (if they exist) are now removed from ServerRoot,
tree, and other minor MPE tweaks.
[Mark Bixby <mark_bixby@hp.com>]
- *) Security: Tighten up the syntax checking of Host: headers to fix a
+ *) SECURITY: Tighten up the syntax checking of Host: headers to fix a
security bug in some mass virtual hosting configurations
that can allow a remote attacker to retrieve some files
on the system that should be inaccessible. [Tony Finch]
SHA1 and plaintext password encodings. Make feature tests a
bit more flexible. [William Rowe]
- *) Security: CVE-2000-0913
+ *) SECURITY: CVE-2000-0913 (cve.mitre.org)
Fix a security problem that affects some configurations of
mod_rewrite. If the result of a RewriteRule is a filename that
contains expansion specifiers, especially regexp backreferences
for modules and executables dynamically linked to the core.
[William Rowe; Jim Patterson <jim-patterson@ncf.ca>]
- *) Prevent the source code for CGIs from being revealed when using
- mod_vhost_alias and the CGI directory is under the document root
+ *) SECURITY: Prevent the source code for CGIs from being revealed when
+ using mod_vhost_alias and the CGI directory is under the document root
and a user makes a request like http://www.example.com//cgi-bin/cgi
as reported in <news:960999105.344321@ernani.logica.co.uk>
[Tony Finch]
<Directory> containers, and in .htaccess files when FileInfo
overriding is allowed. [Ken Coar] PR#3000
- *) Fix Win32 bug when pathname length exactly equals MAX_PATH.
+ *) SECURITY: Fix Win32 bug when pathname length exactly equals MAX_PATH.
This bug caused directory index to be displayed rather than
- returning an error. [Allan Edwards <ake@raleigh.ibm.com>]
+ returning an error. CVE-2000-0505 (cve.mitre.org)
+ [Allan Edwards <ake@raleigh.ibm.com>]
*) Correct mod_proxy Win95 dynamic link __declspec(thread) bug.
David Whitmarsh <david.whitmarsh@dial.pipex.com>
the given character set on any document that does not have one
explicitly specified in the headers. [Marc Slemko, Jim Jagielski]
- *) Properly escape various messages output to the client from a number
+ *) SECURITY:
+ Properly escape various messages output to the client from a number
of modules and places in the core code. [Marc Slemko]
- *) Change mod_actions, mod_autoindex, mod_expires, and mod_log_config to
+ *) SECURITY:
+ Change mod_actions, mod_autoindex, mod_expires, and mod_log_config to
not consider any parameters such as charset when making decisions
based on content type. This does remove some functionality for
some users, but means that when these modules are configured to do
want to set things on a per charset basis is necessary in the future.
[Marc Slemko]
- *) mod_include now entity encodes output from "printenv" and "echo var"
+ *) SECURITY:
+ mod_include now entity encodes output from "printenv" and "echo var"
by default. The encoding for "echo var" can be set to URL encoding
or no encoding using the new "encoding" attribute to the echo tag.
[Marc Slemko]
*) Add back support for UseCanonicalName in <Directory> containers
[Manoj Kasichainula]
- *) More rigorous checking of Host: headers to fix security problems
- with mass name-based virtual hosting (whether using mod_rewrite
+ *) SECURITY: More rigorous checking of Host: headers to fix security
+ problems with mass name-based virtual hosting (whether using mod_rewrite
or mod_vhost_alias).
[Ben Hyde, Tony Finch]
*) SECURITY: Eliminate O(n^2) space DoS attacks (and other O(n^2)
cpu time attacks) in header parsing. Add ap_overlap_tables(),
a function which can be used to perform bulk update operations
- on tables in a more efficient manner. [Dean Gaudet]
+ on tables in a more efficient manner. CAN-1999-1199 (cve.mitre.org)
+ [Dean Gaudet]
*) SECURITY: Added compile-time and configurable limits for
various aspects of reading a client request to avoid some simple
projects / thirdparty / apache / httpd.git / commitdiff
