From: William A. Rowe Jr Date: Mon, 9 Jan 2017 16:23:51 +0000 (+0000) Subject: ** NOTE: the vendor states "This mitigation has been assigned the identifier X-Git-Tag: 2.2.32~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=47d126f94824e852c9358291ee7c485e72cb3849;p=thirdparty%2Fapache%2Fhttpd.git ** NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. ** git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1778007 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index c3be9dc890a..f262eb5f7e8 100644 --- a/CHANGES +++ b/CHANGES @@ -6,19 +6,15 @@ Changes with Apache 2.2.32 and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies. [William Rowe, Stefan Fritsch] - *) mod_proxy: Use the correct server name for SNI in case the backend - SSL connection itself is established via a proxy server. - PR 57139 [Szabolcs Gyurko ] - - *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues. - [Dominic Scheirlinck , Yann Ylavic] - *) Validate HTTP response header grammar defined by RFC7230, resulting in a 500 error in the event that invalid response header contents are detected when serving the response, to avoid response splitting and cache pollution by malicious clients, upstream servers or faulty modules. [Stefan Fritsch, Eric Covener, Yann Ylavic] + *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues. + [Dominic Scheirlinck , Yann Ylavic] + *) core: Avoid a possible truncation of the faulty header included in the HTML response when LimitRequestFieldSize is reached. [Yann Ylavic] @@ -40,18 +36,22 @@ Changes with Apache 2.2.32 *) core: New directive RegisterHttpMethod for registering non-standard HTTP methods. [Stefan Fritsch] + *) core: Limit to ten the number of tolerated empty lines between request. + [Yann Ylavic] + + *) core: reject NULLs in request line or request headers. + PR 43039 [Nick Kew] + + *) mod_proxy: Use the correct server name for SNI in case the backend + SSL connection itself is established via a proxy server. + PR 57139 [Szabolcs Gyurko ] + *) Fix potential rejection of valid MaxMemFree and ThreadStackSize directives. [Mike Rumph ] *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3. [Kaspar Brand] - *) core: Limit to ten the number of tolerated empty lines between request. - [Yann Ylavic] - - *) Core: reject NULLs in request line or request headers. - PR 43039 [Nick Kew] - *) mod_proxy: Correctly consider error response codes by the backend when processing failonstatus. PR 59869 [Ruediger Pluem]