From: Ruediger Pluem <rpluem@apache.org>
Date: Fri, 31 Mar 2006 20:41:37 +0000 (+0000)
Subject: * Move security fixes at the beginning of the changelog
X-Git-Tag: 2.2.1~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=258e36a68de81bf52e8f3d856714795249167314;p=thirdparty%2Fapache%2Fhttpd.git

* Move security fixes at the beginning of the changelog


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@390497 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index ce6cb1513a0..fda98a18bdb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,19 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.1
 
+  *) SECURITY: CVE-2005-3357 (cve.mitre.org)
+     mod_ssl: Fix a possible crash during access control checks if a
+     non-SSL request is processed for an SSL vhost (such as the
+     "HTTP request received on SSL port" error message when an 400 
+     ErrorDocument is configured, or if using "SSLEngine optional").
+     PR 37791.  [RÃ¼diger PlÃ¼m, Joe Orton]
+
+  *) SECURITY: CVE-2005-3352 (cve.mitre.org)
+     mod_imagemap: Escape untrusted referer header before outputting
+     in HTML to avoid potential cross-site scripting.  Change also
+     made to ap_escape_html so we escape quotes.  Reported by JPCERT.
+     [Mark Cox]
+
   *) Fix mis-shifted 32 bit scope, masked to 64 bits as a method.
      [Will Rowe, Joe Orton]
 
@@ -36,19 +49,6 @@ Changes with Apache 2.2.1
 
   *) mod_speling: Stop crashing with certain non-file requests.  [Jeff Trawick]
 
-  *) SECURITY: CVE-2005-3357 (cve.mitre.org)
-     mod_ssl: Fix a possible crash during access control checks if a
-     non-SSL request is processed for an SSL vhost (such as the
-     "HTTP request received on SSL port" error message when an 400 
-     ErrorDocument is configured, or if using "SSLEngine optional").
-     PR 37791.  [RÃ¼diger PlÃ¼m, Joe Orton]
-
-  *) SECURITY: CVE-2005-3352 (cve.mitre.org)
-     mod_imagemap: Escape untrusted referer header before outputting
-     in HTML to avoid potential cross-site scripting.  Change also
-     made to ap_escape_html so we escape quotes.  Reported by JPCERT.
-     [Mark Cox]
-
   *) mod_cache: Make caching of reverse proxies possible again. PR 38017.
      [Ruediger Pluem]