From: Eric Covener Date: Sat, 1 Nov 2014 18:01:31 +0000 (+0000) Subject: restore SECURITY to top X-Git-Tag: 2.4.11~198 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6187f028d9c8f69f405691f4d7843d950798eec9;p=thirdparty%2Fapache%2Fhttpd.git restore SECURITY to top git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1636006 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index e0c5b3c1461..f89bb8806aa 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,17 @@ Changes with Apache 2.4.11 + *) SECURITY: CVE-2014-3581 (cve.mitre.org) + mod_cache: Avoid a crash when Content-Type has an empty value. + PR 56924. [Mark Montague , Jan Kaluza] + + *) SECURITY: CVE-2013-5704 (cve.mitre.org) + core: HTTP trailers could be used to replace HTTP headers + late during request processing, potentially undoing or + otherwise confusing modules that examined or modified + request headers earlier. Adds "MergeTrailers" directive to restore + legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] + *) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC systems. PR 57092 [Edward Lu ] @@ -35,17 +46,6 @@ Changes with Apache 2.4.11 *) mod_dav: Set r->status_line in dav_error_response. PR 55426. - *) SECURITY: CVE-2014-3581 (cve.mitre.org) - mod_cache: Avoid a crash when Content-Type has an empty value. - PR 56924. [Mark Montague , Jan Kaluza] - - *) SECURITY: CVE-2013-5704 (cve.mitre.org) - core: HTTP trailers could be used to replace HTTP headers - late during request processing, potentially undoing or - otherwise confusing modules that examined or modified - request headers earlier. Adds "MergeTrailers" directive to restore - legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] - *) mod_proxy_http: Avoid (unlikely) access to freed memory. [Yann Ylavic] *) http_protocol: fix logic in ap_method_list_(add|remove) in order: