From: William A. Rowe Jr <wrowe@apache.org>
Date: Mon, 9 Jan 2017 16:23:51 +0000 (+0000)
Subject: ** NOTE: the vendor states "This mitigation has been assigned the identifier
X-Git-Tag: 2.4.26~383
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78213fd4cc088982096d4afb3fedc21bae6131eb;p=thirdparty%2Fapache%2Fhttpd.git

** NOTE: the vendor states "This mitigation has been assigned the identifier
CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. **



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1778007 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index b109fe1c120..bdfffe218dc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -41,10 +41,6 @@ Changes with Apache 2.4.24 (not released)
      [Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
      University, Stefan Eissing]
 
-  *) SECURITY: CVE-2016-5387 (cve.mitre.org)
-     core: Mitigate [f]cgi "httpoxy" issues.
-     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
-
   *) SECURITY: CVE-2016-2161 (cve.mitre.org)
      mod_auth_digest: Prevent segfaults during client entry allocation when
      the shared memory space is exhausted.
@@ -66,6 +62,9 @@ Changes with Apache 2.4.24 (not released)
      pollution by malicious clients, upstream servers or faulty modules.
      [Stefan Fritsch, Eric Covener, Yann Ylavic]
 
+  *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
+     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+
   *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
      looping RewriteRules when the local path significantly exceeds 
      LimitRequestLine.  PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]