From: Bill Stoddard <stoddard@apache.org>
Date: Tue, 2 Oct 2001 19:35:30 +0000 (+0000)
Subject: For the recent mod_negotiation patch
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c0465188af2c709cbc8425ff79c4dedf3c59a6b;p=thirdparty%2Fapache%2Fhttpd.git

For the recent mod_negotiation patch


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@91237 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/src/CHANGES b/src/CHANGES
index 3bae7399a4f..584af9fb793 100644
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,4 +1,12 @@
 Changes with Apache 1.3.21
+  *) Security: Close autoindex /?M=D directory listing hole reported
+     in bugtraq id 3009.  In some configurations where multiviews and 
+     indexes are enabled for a directory, requesting URI /?M=D could
+     result in a directory listing being returned to the client rather
+     than the negotiated index.html variant that was configured and
+     expected.  The work around for this problem (for pre 1.3.21
+     releases) is to disable Indexes or Multiviews in the affected
+     directories. [Bill Stoddard, Bill Rowe]
 
   *) Enabled Win32/OS2/Netware file paths (not / rooted, but c:/ rooted)
      as arguments for mod_vhost_alias'es directives.  [William Rowe]