From: William A. Rowe Jr <wrowe@apache.org>
Date: Fri, 11 Apr 2003 20:22:21 +0000 (+0000)
Subject:   Time for disclosure details
X-Git-Tag: pre_ajp_proxy~1863
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1f6e8eddae0a998dfc4171a5e04baab2d6d70808;p=thirdparty%2Fapache%2Fhttpd.git

  Time for disclosure details

  If anyone sees credit-where-credit-is-due that I've missed, please
  add those individuals.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99332 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index c8387140dae..bab061625fa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -159,6 +159,11 @@ Changes with Apache 2.1.0-dev
 
 Changes with Apache 2.0.46
 
+  *) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability 
+     identified and reported by Robert Howard <rihoward@rawbw.com> that 
+     where device names faulted the running OS2 worker process.
+     The fix is actually in APR 0.9.4.  [Brian Havard]
+
   *) Forward port: Escape special characters (especially control
      characters) in mod_log_config to make a clear distinction between
      client-supplied strings (with special characters) and server-side
@@ -177,7 +182,9 @@ Changes with Apache 2.0.45
 
   *) SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability
      identified by David Endler <DEndler@iDefense.com> on all platforms.
-     Details embargoed until their announcement on 8 April 2003.
+     An unlimited stream of newlines were acceptable between requests
+     where each <lf> would allocate an 80 byte buffer, leading very
+     quickly to memory exahustion.  [Brian Pane]
 
   *) Added an rpm build script.
      [Graham Leggett, Joe Orton <jorton@redhat.com>]
@@ -185,9 +192,9 @@ Changes with Apache 2.0.45
   *) Simpler, faster code path for request header scanning  [Brian Pane]
 
   *) SECURITY:  Eliminated leaks of several file descriptors to child
-     processes, such as CGI scripts.  This fix depends on the latest
-     APR library release 0.9.2, which is distributed with the httpd 
-     source tarball for Apache 2.0.45.  PR 17206
+     processes, such as CGI scripts.  This fix depends on the APR library 
+     release 0.9.2 or later (0.9.3 was distributed with the httpd 
+     source tarball for Apache 2.0.45.)  PR 17206
      [Christian Kratzer <ck@cksoft.de>, Bjoern A. Zeeb <bz@zabbadoz.net>]
 
   *) Fix path handling of mod_rewrite, especially on non-unix systems.