From: Mark J. Cox Date: Mon, 8 Oct 2001 19:34:38 +0000 (+0000) Subject: Add CVE candidate names to the announcement mail and changes file to allow X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2da62c4269f4d7e360ec497cfce66128c3593268;p=thirdparty%2Fapache%2Fhttpd.git Add CVE candidate names to the announcement mail and changes file to allow them to be cross-referenced with other security publications easily PR: Obtained from: Submitted by: Reviewed by: git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@91364 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/Announcement b/Announcement index 957d8ef11dc..3779e7c44ad 100644 --- a/Announcement +++ b/Announcement @@ -75,14 +75,18 @@ * A vulnerability was found in the Win32 port of Apache 1.3.20. A client submitting a very long URI could cause a directory listing to be returned rather than the default index page. A 403 Forbidden - will now be returned + will now be returned. CAN-2001-0729 * A vulnerability was found in the split-logfile support program. A request with a specially crafted Host: header could allow any file with a .log extension on the system to be written to. PR#7848 + CAN-2001-0730 * A vulnerability was found when Multiviews are used to negotiate the directory index. In some configurations, requesting a URI with a QUERY_STRING of M=D could return a directory listing rather than - the expected index page. + the expected index page. CAN-2001-0731 + + The security issues above have been assigned standardized names, CAN- + by the Common Vulnerabilities and Exposures project (cve.mitre.org) New features diff --git a/src/CHANGES b/src/CHANGES index 96c2aa77317..fb34b38ad14 100644 --- a/src/CHANGES +++ b/src/CHANGES @@ -58,7 +58,9 @@ Changes with Apache 1.3.21 than the negotiated index.html variant that was configured and expected. The work around for this problem (for pre 1.3.21 releases) is to disable Indexes or Multiviews in the affected - directories. [Bill Stoddard, Bill Rowe] + directories. The Common Vulnerabilities and Exposures project + (cve.mitre.org) has assigned the name CAN-2001-0731 to this issue. + [Bill Stoddard, Bill Rowe] *) Enabled Win32/OS2/Netware file paths (not / rooted, but c:/ rooted) as arguments for mod_vhost_alias'es directives. [William Rowe] @@ -78,8 +80,9 @@ Changes with Apache 1.3.21 by using many slashes. Now a 403 FORBIDDEN is returned. This problem was similar to and in the same area as the problem reported and fixed by Martin Kraemer in 1.3.18, only the scope - is much narrower and is specific to Windows. - [Bill Stoddard] + is much narrower and is specific to Windows. The Common + Vulnerabilities and Exposures project (cve.mitre.org) has assigned the + name CAN-2001-0729 to this issue. [Bill Stoddard] *) Update the mime.types file to the registered media types as of 2001-09-25, and add xsl, so, dll extensions [Mark Cox] @@ -166,8 +169,10 @@ Changes with Apache 1.3.21 "/" or "\" are present in the virtual host name. This prevents the possible use of specially crafted virtual host names in some configurations to allow writing to any .log file on the - system. [Daniel Matuschek , - Marc Slemko] PR#7848 + system. The Common Vulnerabilities and Exposures project + (cve.mitre.org) has assigned the name CAN-2001-0730 to this issue. + [Daniel Matuschek , + Marc Slemko] PR#7848 *) Added a directive: "AcceptFilter ". To control BSD acccept filters when at compile time SO_ACCEPT_FILTER is