From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 18 Sep 2017 21:54:15 +0000 (+0000)
Subject: CVE-2017-9798 disclosed, amend CHANGES entry for
X-Git-Tag: 2.4.28~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f1267897fd5050750b93859e865382bff95c9c7;p=thirdparty%2Fapache%2Fhttpd.git

CVE-2017-9798 disclosed, amend CHANGES entry for
https://svn.apache.org/r1807754



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1808787 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index b2b6bada88b..109b338b7c1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.28
 
+  *) SECURITY: CVE-2017-9798 (cve.mitre.org)
+     Corrupted or freed memory access. <Limit[Except]> must now be used in the
+     main configuration file (httpd.conf) to register HTTP methods before the
+     .htaccess files.  [Yann Ylavic]
+
   *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
      PR 61142.
 
@@ -13,9 +18,6 @@ Changes with Apache 2.4.28
 
   *) build: allow configuration without APR sources.  [Jacob Champion]
 
-  *) core: Disallow Methods' registration at runtime (.htaccess), they may be
-     used only if registered at init time (httpd.conf).  [Yann Ylavic]
-
   *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
      [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
       Yann Ylavic]